CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump
|
|
- Rosemary Pierce
- 5 years ago
- Views:
Transcription
1 CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump Ryan Farley and Xinyuan Wang George Mason University Information Security, the 17 th International Conference ISC 2014, Hong Kong Where Innovation Is Tradition Oct , 2014
2 Problem Need to automate upon detection in memory Avoid substantial manual effort Automatically recover malcode Extract/unpack/recover attack code Memory dump, transient artifacts Input Memory Dump Process Context Registers Execution Trace Log Files Obfuscated Code Analysis Engine Static Dynamic Hybrid Output Attack String Malicious Code Vulnerability Arbitration Obfuscation Removal Normalized Code 1
3 Existing Tools Only work with known boundaries Typically designed for full binaries e.g., PE files Things get nasty without given boundaries Or are arbitrary byte streams Don t generically handle Malformed, Misaligned Obfuscated, Armored 2
4 Solution: CodeXt Discovers executable code within memory dump Upon realtime detection Extracts packed or obfuscated malcode First to generically handle Incremental and Shikata-ga-nai Decoder3 w/ K3 Decoder3 w/ K3 Decoder3 w/ K3 Decoder3 w/ K3 Encoded code, data Transient code 1 Decoder2 w/ K2 Layer 3 decoded Encoded Transient code 2 code, data Transient code 1 Layer Encoded 3 decoded code, data Layer 2 decoded Decoder1 w/ K1 Layer 1 decoded Layer 3 decoded Layer 2 decoded Original memory First snapshot Second snapshot Third snapshot 3
5 Solution: CodeXt Framework built upon S2E Selective means QEMU vs KLEE (LLVM) Decision made per basic block Run-time info of the attack CodeXt Report Run-time memory dump Symbolic Execution Dynamic Binary Analysis Run-time analysis info Offline Analysis Recovered code Obfuscation info Intermediate results 4
6 CodeXt Output Instruction Trace of executed instructions Grouping of fragments into chunks Reveals original and unpacked malcode Assisted by a translation trace Data Trace of memory writes Intelligent memory update clustering Multi-layer snapshots Call Trace of system calls With CPU context 5
7 Problems + Challenges + Solutions 6
8 Handling Byte Streams S2E expects well structured binaries We wrap the binary for execution Info Buffer Output Host to Guest File Transfer Wrapper Guest OS CodeXt S2E Plugin S2E (Modified QEMU) S2E uses basic block granularity Our modified QEMU translation returns more info We leverage translation and execution hooks to verify 7
9 Recognizing Code Avoiding the Halting Problem No infinite loops Caps on executed instructions Different types: target, non-target, system False cognates Illegal first instructions False jumps into suffix Many substrings Matched code fragment: ends on system call, EAX within range Detection Point Random bytes Hidden Code Random bytes Hidden Code Random bytes Hidden Code 8
10 Dealing with Code Fragments Fragmentation Clustering into Chunks, adjacency, execution trace Density Usage: Executed/Range Overlay: Unique executed/range over snapshots Enclosure Continuous executable bytes adjacent to end S2E ( ) S2E (, offset 1 ).. Fragments Match S2E (, offset n ) 9
11 Defeating Obfuscation FPU instructions, fnstenv Added small change to QEMU to comply Intra-basic block self-modification We know address range of each translated block During execution we track writes If any write is to same block we retranslate block Emulator detection Tested for a set of obscure instructions used as canaries 10
12 Results 11
13 Experiments Hidden code search 1KB to 100KB buffers, 40B to 80B shellcodes Filled with either null, live-capture, or random bytes Varied assistance data: EIP, EAX, both, neither Accuracy De-obfuscation, Anti-emulation detection Various packers mentioned in previous research In-shop: Junk code insertion, Ranged xor, Incremental Symbolic Branching 12
14 Multi-Layered Encoders xor_key1 xor_key2 xor_key2 of xor_key1 junk inserted bytes 13
15 Incremental Encoder Decoder3 w/ K3 Decoder3 w/ K3 Decoder3 w/ K3 Decoder3 w/ K3 Encoded code, data Transient code 1 Decoder2 w/ K2 Layer 3 decoded Encoded Transient code 2 code, data Transient code 1 Layer Encoded 3 decoded code, data Layer 2 decoded Layer 1 decoded Layer 3 decoded Layer 2 decoded Decoder1 w/ K1 Original memory First snapshot Second snapshot Third snapshot 14
16 Symbolic Conditionals Logical Start func1() in Hidden Code Frag #1 Hidden Code Frag #2 func3() in Hidden Code Frag #3... y=0; z=1; if (x>==10) y=func3(); else if (x>=0) y=func1(); if (y==0) z=0; if (y==1 && z==0) z=4;... 15
17 Conclusion Emulation is heavy-weight, but Accurate and enables anti-anti-sandbox techniques OS independent Symbolic analysis engine opens avenues Taint propagation and analysis Fuller branch exploration and pruning heuristics CodeXt Accurately pinpoints and models even highly obfuscated code in adverse conditions. 16
18 Current/Future Development Full binary (ELF/PE) support Modeling unmodified executables Without source code Data and code based taint analysis Can mark any input e.g., all network socket reads Follow not only by data, but instruction influence 17
19 Thank you for your time Any questions? Post-talk, please feel free to contact us 18
T Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationlike a boss Automatically Extracting Obfuscated Strings from Malware
like a boss Automatically Extracting Obfuscated Strings from Malware d41d8cd98f00b204e9800998ecf8427e a5ca7e7281d8b8a570a529895106b1fa PE file format Imports Exports Section metadata strings.exe PE
More informationArgos Emulator. Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam
Argos Emulator Georgios Portokalidis Asia Slowinska Vrije Universiteit Amsterdam Why? Too many vulnerabilities New worm attacks Human intervention too slow Current solutions are problematic Time consuming
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationLecture Notes: Unleashing MAYHEM on Binary Code
Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to
More informationShellcode Analysis. Chapter 19
Shellcode Analysis Chapter 19 What is Shellcode Shellcode a payload of raw executable code, attackers use this code to obtain interactive shell access. A binary chunk of data Can be generally referred
More informationImplementing your own generic unpacker
HITB Singapore 2015 Julien Lenoir - julien.lenoir@airbus.com October 14, 2015 Outline 1 Introduction 2 Test driven design 3 Fine tune algorithm 4 Demo 5 Results 6 Conclusion October 14, 2015 2 Outline
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More information143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018
143A: Principles of Operating Systems Lecture 5: Address translation Anton Burtsev October, 2018 Two programs one memory Or more like renting a set of rooms in an office building Or more like renting a
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationTriggering Deep Vulnerabilities Using Symbolic Execution
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the
More informationBinary Code Extraction and Interface Identification for Security Applications
Binary Code Extraction and Interface Identification for Security Applications Juan Caballero Noah M. Johnson Stephen McCamant Dawn Song Electrical Engineering and Computer Sciences University of California
More informationMesocode: Optimizations for Improving Fetch Bandwidth of Future Itanium Processors
: Optimizations for Improving Fetch Bandwidth of Future Itanium Processors Marsha Eng, Hong Wang, Perry Wang Alex Ramirez, Jim Fung, and John Shen Overview Applications of for Itanium Improving fetch bandwidth
More informationMaking Dynamic Instrumentation Great Again
Making Dynamic Instrumentation Great Again Malware Research Team @ @xabiugarte [advertising space ] Deep Packer Inspector https://packerinspector.github.io https://packerinspector.com Many instrumentation
More informationOn The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004
On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code
More informationAutomated Signature Generation: Overview and the NoAH Approach. Bernhard Tellenbach
Automated Signature Generation: Overview and the NoAH Approach Structure Motivation: The speed of insecurity Overview Building Blocks and Techniques The NoAH approach 2 The speed of insecurity Source:
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationINFORMATION SECURITY - PRACTICAL ASSESSMENT - BASICS IN BUFFER EXPLOITATION
INFORMATION SECURITY - PRACTICAL ASSESSMENT - BASICS IN BUFFER EXPLOITATION GRENOBLE INP ENSIMAG http://www.ensimag.fr COMPUTER SCIENCE 3RD YEAR IF-MMIS - 1ST SEMESTER, 2011 Lecturers: Fabien Duchene -
More informationThings You May Not Know About Android (Un)Packers: A Systematic Study based on Whole- System Emulation
Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole- System Emulation Yue Duan, Mu Zhang, Abhishek Vasisht Bhaskar, Heng Yin, Xiaorui Pan, Tongxin Li, Xueqiang Wang, XiaoFeng
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationThe CPU and Memory. How does a computer work? How does a computer interact with data? How are instructions performed? Recall schematic diagram:
The CPU and Memory How does a computer work? How does a computer interact with data? How are instructions performed? Recall schematic diagram: 1 Registers A register is a permanent storage location within
More informationExploit Mitigation - PIE
Exploit Mitigation - PIE Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch ASCII Armor Arbitrary Write Overflow Local
More informationW4118: virtual machines
W4118: virtual machines Instructor: Junfeng Yang References: Modern Operating Systems (3 rd edition), Operating Systems Concepts (8 th edition), previous W4118, and OS at MIT, Stanford, and UWisc Virtual
More informationA Data Driven Approach to Designing Adaptive Trustworthy Systems
A Data Driven Approach to Designing Adaptive Trustworthy Systems Ravishankar K. Iyer (with A. Sharma, K. Pattabiraman, Z. Kalbarczyk, Center for Reliable and High-Performance Computing Department of Electrical
More informationIntroduction to Symbolic Execution
Introduction to Symbolic Execution Classic Symbolic Execution 1 Problem 1: Infinite execution path Problem 2: Unsolvable formulas 2 Problem 3: symbolic modeling External function calls and system calls
More informationProgram Vulnerability Analysis Using DBI
Program Vulnerability Analysis Using DBI CodeEngn Co-Administrator DDeok9@gmail.com 2011.7.2 www.codeengn.com CodeEngn ReverseEngineering Conference Outline What is DBI? Before that How? A simple example
More informationPolymorphic Blending Attacks. Slides by Jelena Mirkovic
Polymorphic Blending Attacks Slides by Jelena Mirkovic 1 Motivation! Polymorphism is used by malicious code to evade signature-based IDSs Anomaly-based IDSs detect polymorphic attacks because their byte
More informationFlare-On 5: Challenge 7 Solution WorldOfWarcraft.exe
Flare-On 5: Challenge 7 Solution WorldOfWarcraft.exe Challenge Author: Ryan Warns Summary This challenge implements a 32-bit Windows binary meant to run in a Windows on Windows (WOW) environment. Analysis
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationExtended Page Tables (EPT) A VMM must protect host physical memory Multiple guest operating systems share the same host physical memory VMM typically implements protections through page-table shadowing
More informationDetecting Self-Mutating Malware Using Control-Flow Graph Matching
Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo Martignoni Mattia Monga Dipartimento di Informatica e Comunicazione Università degli Studi di Milano {bruschi,martign,monga}@dico.unimi.it
More informationProspector: accurate analysis of heap and stack overflows by means of age stamps
Technical report IR-CS-031 Prospector: accurate analysis of heap and stack overflows by means of age stamps Asia Slowinska and Herbert Bos Vrije Universiteit Amsterdam {asia,herbertb}@few.vu.nl Abstract
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationMetasm. a ruby (dis)assembler. Yoann Guillot. 20 october 2007
Metasm a ruby (dis)assembler Yoann Guillot 20 october 2007 Metasm Presentation I am Yoann Guillot I work for Sogeti/ESEC in the security R&D lab Metasm HACK.LU 2007 2 / 23 Plan Metasm 1 Metasm 2 Metasm
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationHypervisor security. Evgeny Yakovlev, DEFCON NN, 2017
Hypervisor security Evgeny Yakovlev, DEFCON NN, 2017 whoami Low-level development in C and C++ on x86 UEFI, virtualization, security Jetico, Kaspersky Lab QEMU/KVM developer at Virtuozzo 2 Agenda Why hypervisor
More informationMario Vuksan and Tomislav Pericin, ReversingLabs FILE ANALYSIS AND UNPACKING: THE AGE OF 40M NEW SAMPLES PER YEAR
Mario Vuksan and Tomislav Pericin, ReversingLabs FILE ANALYSIS AND UNPACKING: THE AGE OF 40M NEW SAMPLES PER YEAR Agenda Big and scary numbers Introduction to the binary mess out there (the problem) Packers
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationSneha Rajguru & Prajwal Panchmahalkar
Sneha Rajguru & Prajwal Panchmahalkar Sneha Rajguru Security Consultant, Payatu Technologies Pvt Ltd. @sneharajguru Prajwal Panchmahalkar Red Team Lead Security Engineer, VMware @pr4jwal Introduction to
More informationSoftware Protection: How to Crack Programs, and Defend Against Cracking Lecture 5: Code Obfuscation II Minsk, Belarus, Spring 2014
Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 5: Code Obfuscation II Minsk, Belarus, Spring 2014 Christian Collberg University of Arizona www.cs.arizona.edu/ collberg
More informationBlackhat USA 2017 Tools Arsenal - AntiVirus Evasion Tool (AVET)
Blackhat USA 2017 Tools Arsenal - AntiVirus Evasion Tool (AVET) by Daniel Sauder (@DanielX4v3r) AVET is the AntiVirus Evasion Tool, which was developed to support the pentesters job and for experimenting
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationThe Age of Data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack
The Age of Data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack Asia Slowinska, Herbert Bos Vrije Universiteit Amsterdam Department of Computer Science, Faculteit der Exacte
More informationI/O Systems. Amir H. Payberah. Amirkabir University of Technology (Tehran Polytechnic)
I/O Systems Amir H. Payberah amir@sics.se Amirkabir University of Technology (Tehran Polytechnic) Amir H. Payberah (Tehran Polytechnic) I/O Systems 1393/9/15 1 / 57 Motivation Amir H. Payberah (Tehran
More informationBuilding a Reactive Immune System for Software Services
Building a Reactive Immune System for Software Services Tobias Haupt January 24, 2007 Abstract In this article I summarize the ideas and concepts of the paper Building a Reactive Immune System for Software
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationTaint Nobody Got Time for Crash Analysis
Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationTo Detect Stack Buffer Overflow With Polymorphic Canaries
To Detect Stack Buffer Overflow With Polymorphic Canaries 何钟灵 April 29, 2018 1 Personal 1.1 intro This is based on an essay by Zhilong Wang in our group. Our group is named SECLAB in Lab 428, Building
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 8 Arbitrary Code Execution: Threats & Countermeasures
More informationTales from cloud nine. Mihai Chiriac, BitDefender
Tales from cloud nine Mihai Chiriac, BitDefender Talk outline Motivation Technical challenges Implementation results Future ideas Conclusions Reasons Malware numbers have grown at exponential rates 5000000
More informationLecture 2: The Art of Emulation
CSCI-GA.3033-015 Virtual Machines: Concepts & Applications Lecture 2: The Art of Emulation Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Disclaimer: Many slides of this lecture are based
More information9. Security. Safeguard Engine. Safeguard Engine Settings
9. Security Safeguard Engine Traffic Segmentation Settings Storm Control DoS Attack Prevention Settings Zone Defense Settings SSL Safeguard Engine D-Link s Safeguard Engine is a robust and innovative technology
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationA Survey of Obfuscations in Prevalent Packer Tools
A Survey of Obfuscations in Prevalent Packer Tools Kevin Roundy Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin March 26, 2012 1 Types of program analysis Source code Friendly binary Uncooperative
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationSoftware Crash Analysis for Automatic Exploit GenerationonBinaryPrograms
270 IEEE TRANSACTIONS ON RELIABILITY, VOL. 63, NO. 1, MARCH 2014 Software Crash Analysis for Automatic Exploit GenerationonBinaryPrograms Shih-Kun Huang, Member, IEEE, Min-Hsiang Huang, Po-Yen Huang, Han-Lin
More informationMemory management. Last modified: Adaptation of Silberschatz, Galvin, Gagne slides for the textbook Applied Operating Systems Concepts
Memory management Last modified: 26.04.2016 1 Contents Background Logical and physical address spaces; address binding Overlaying, swapping Contiguous Memory Allocation Segmentation Paging Structure of
More informationIdentifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang ( ) Aravind Prakash ( ) Xiaolei Li ( ) Zhenkai Liang ( ) Heng Yin ( ) ( ) School of Computing,
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationHeaps of Heap-based Memory Attacks
Heaps of Heap-based Memory Attacks Kevin Leach kleach2@gmu.edu Center for Secure Information Systems 3 October 2012 K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October 2012 1 / 23 Goals During
More informationRooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018
Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationVirtualization. Adam Belay
Virtualization Adam Belay What is a virtual machine Simulation of a computer Running as an application on a host computer Accurate Isolated Fast Why use a virtual machine? To run multiple
More informationELEC 377 Operating Systems. Week 1 Class 2
Operating Systems Week 1 Class 2 Labs vs. Assignments The only work to turn in are the labs. In some of the handouts I refer to the labs as assignments. There are no assignments separate from the labs.
More informationTim Ebringer The university of Melbourne, Australia Li Sun RMIT university, Australia Serdar Boztas RMIT university, Australia VB 2008 Ottawa,
A FAST RANDOMNESS TEST THAT PRESERVES LOCAL DETAIL Tim Ebringer The university of Melbourne, Australia Li Sun RMIT university, Australia Serdar Boztas RMIT university, Australia VB 2008 Ottawa, Canada,
More informationSoftware Protection: How to Crack Programs, and Defend Against Cracking Lecture 5: Code Obfuscation II Moscow State University, Spring 2014
Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 5: Code Obfuscation II Moscow State University, Spring 2014 Christian Collberg University of Arizona www.cs.arizona.edu/
More informationWhite Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection
White Paper New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection The latest version of the flagship McAfee Gateway Anti-Malware technology adapts to new threats and plans for future
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationSecurity and Privacy in Computer Systems. Lecture 5: Application Program Security
CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project
More informationDesign of Decode, Control and Associated Datapath Units
1 Design of Decode, Control and Associated Datapath Units ECE/CS 3710 - Computer Design Lab Lab 3 - Due Date: Thu Oct 18 I. OVERVIEW In the previous lab, you have designed the ALU and hooked it up with
More informationAgenda. Motivation Generic unpacking Typical problems Results
Who we are Product: ewido security suite Protection against Trojans, Adware, Spyware,... First release: Christmas 2003 Emulation research since 2002 Used for generic unpacking Agenda Motivation Generic
More informationReverse Engineering Malware Binary Obfuscation and Protection
Reverse Engineering Malware Binary Obfuscation and Protection Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Binary Obfuscation and Protection What is covered in this
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationIntroduction to Computer Science. Homework 1
Introduction to Computer Science Homework. In each circuit below, the rectangles represent the same type of gate. Based on the input and output information given, identify whether the gate involved is
More informationBeyond a sensor. Towards the Globalization of SURFids. FIRST 20 th Annual Conference Vancouver, Canada
Beyond a sensor Towards the Globalization of SURFids Wim.Biemolt@surfnet.nl FIRST 20 th Annual Conference Vancouver, Canada 1 SURFnet6 2 SURFcert 3 18 th Annual FIRST Conference Goals - Understanding:
More information238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018
238P: Operating Systems Lecture 5: Address translation Anton Burtsev January, 2018 Two programs one memory Very much like car sharing What are we aiming for? Illusion of a private address space Identical
More informationPluggable Transports Roadmap
Pluggable Transports Roadmap Steven J. Murdoch and George Kadianakis steven.murdoch@cl.cam.ac.uk,asn@torproject.org Tor Tech Report 2012-03-003 March 17, 2012 Abstract Of the currently available pluggable
More informationSAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
1 SAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics Qin Liu, John C.S. Lui 1 Cheng He, Lujia Pan, Wei Fan, Yunlong Shi 2 1 The Chinese University of Hong Kong 2 Huawei Noah s
More informationVulnerability Discovery in Closed Source / Bytecode Encrypted PHP Applications
Vulnerability Discovery in Closed Source / Bytecode Encrypted PHP Applications Stefan Esser Power Of Community November 2008 Seoul Who am I? Stefan Esser from Cologne/Germany 10 years in Information Security
More informationAutomatic Binary Exploitation and Patching using Mechanical [Shell]Phish University of California, Santa Barbara (UCSB)
Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish Antonio Bianchi antoniob@cs.ucsb.edu University of California, Santa Barbara (UCSB) HITCON Pacific December 2nd, 2016 Shellphish
More informationFLARE-On 4: Challenge 3 Solution greek_to_me.exe
FLARE-On 4: Challenge 3 Solution greek_to_me.exe Challenge Author: Matt Williams (@0xmwilliams) greek_to_me.exe is a Windows x86 executable whose strings reveal what is likely the desired state of the
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationSA30228 / CVE
Generated by Secunia 29 May, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Tested Versions 5 Fixed Versions 5 References 5 Generated by Secunia 29 May,
More informationRed Leaves implant - overview
Ahmed Zaki David Cannings March 2017 Contents 1 Handling information 3 2 Introduction 3 3 Overview 3 3.1 Summary of files analysed.......................................... 3 3.2 Execution flow................................................
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More informationECS 153 Discussion Section. April 6, 2015
ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)
More informationLinux Memory Analysis with Volatility. Andrew Case Digital Forensics Solutions
Linux Memory Analysis with Volatility Andrew Case Digital Forensics Solutions Purpose of the Talk To highlight the Linux analysis capabilities integrated into the Volatility framework within the last year
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationDefending against Polymorphic Attacks: Recent Results and Open Questions
Defending against Polymorphic Attacks: Recent Results and Open Questions mikepo@ics.forth.gr Institute of Computer Science Foundation for Research and Technology Hellas Crete, Greece TERENA Networking
More information