Security through Multi-Layer Diversity

Transcription

1 Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1

2 Bringing Diversity to Computing Monoculture Current computing monoculture leaves our infrastructure vulnerable to massive and rapid attacks. Knowing that victim systems run on a specific software stack, an attacker can compromise them deterministically. 2

3 3

4 4

5 Response from Security Community W R, ASLR, CFI, CPI, MPX Softbound, CETS Address Sanitizer, Memory Sanitizer, Thread Sanitizer 5

6 Limitations of Existing Schemes Widely-deployed security schemes: W R, ASLR, CFI Not hard to by-pass 6

7 Limitations of Existing Schemes Widely-deployed security schemes: W R, ASLR, CFI Not hard to by-pass More sophisticated schemes: LLVM sanitizers Offer protection against only specific vulnerabilities Refuse to be combined due to conflicts in design 7

8 Limitations of Existing Schemes Widely-deployed security schemes: W R, ASLR, CFI Not hard to by-pass More sophisticated schemes: LLVM sanitizers Offer protection against only specific vulnerabilities Refuse to be combined due to conflicts in design Accumulated overhead: Softbound + CETS 110% slowdown 8

9 A Biological Inspiration Even the deadliest virus cannot kill all species because of gene diversity 9

10 Enhance System Security Through Diversity Input Software Stack Output 10

11 Enhance System Security Through Diversity Input Input Virtualization Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 11 Output

12 Enhance System Security Through Diversity Input (benign) Input Virtualization Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 12 Output (consensus)

13 Enhance System Security Through Diversity Input (malicious) Input Virtualization Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 13 No output (divergence)

14 Enhance System Security Through Diversity Input (malicious) Input Virtualization An attacker has to simultaneously compromise all variants in order to to compromise the whole system Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 14 No output (divergence)

15 Enhance System Security Through Diversity Input Process Zend Linux Software Stack Implementation Platform Output 15

16 Enhance System Security Through Diversity Input Input Virtualization Process ASan MSan UBSan Zend Linux Software Stack Zend Zend Zend Linux Linux Linux Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 16 Output

17 Enhance System Security Through Diversity Input Input Virtualization ASan MSan UBSan Zend Implementation Zend HHVM JPHP Linux Software Stack Linux Linux Linux Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 17 Output

18 Enhance System Security Through Diversity Input Input Virtualization ASan MSan UBSan Zend Zend HHVM JPHP Linux Platform Linux Windows MacOS Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 18 Output

19 Enhance System Security Through Diversity Input Input Virtualization Bunshin (ATC 17) ASan MSan UBSan Zend Future work Zend HHVM JPHP Linux PlatPal (Security 17) Linux Windows MacOS Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 19 Output

20 Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim, Wenke Lee Georgia Tech Presented at the 2017 USENIX Annual Technical Conference (ATC 17) 20

21 Battle against Memory Errors Protect dangerous operation using sanity checks: Auto-applied at compile time void foo(t *a) { *a = 0x1234; } Sanitize void foo(t *a) { if(!is_valid_address(a) { report_and_abort(); } *a = 0x1234; } 21

22 Battle against Memory Errors Memory Error Main Causes Defenses Lack of length check Out-of-bound read/write Use-after-free Uninitialized read Undefined behaviors Integer overflow Format string bug Bad type casting Dangling pointer Double free Lack of initialization Data structure alignment Subword copying Divide-by-zero Pointer misalignment Null-pointer dereference Softbound AddressSanitizer CETS AddressSanitizer MemorySanitizer UndefinedBehaviorSanitizer 22

23 Comprehensive Protection with Bunshin Accumulated execution slowdown Example: Softbound + CETS 110% slowdown Bunshin: Reduce to 60% or 40% (depends on the config) Implementation conflicts Example: AddressSanitizer and MemorySanitizer Bunshin: Seamlessly enforce conflicting sanitizers 23

24 Challenges for Bunshin How to generate these variants? What properties they should have? How to make them appear as one to outsiders? What is a behavior and what is a divergence? What if the sanitizers introduces new behaviors? Multi-threading support? 24

25 Variant Generation Principles Check distribution Sanitizer distribution 25

26 Check Distribution Input Input Virtualization Partition 1 Partition 1 Partition 2 Partition 3 Program Partition 2 Partition 3 Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs Output 26

27 Sanitizer Distribution Input Input Virtualization A D D R E S S M E M O R Y U N D E F Program A D D R E S S M E M O R Y Variant 1 Variant 2 Variant 3 U N D E F Output Synchronize Execution & Consolidate Outputs Output 27

28 Cost Profiling Calculate the slowdown caused by the sanity checks void foo(t *a) { timing_start(); *a = 0x1234; timing_end(); } void foo(t *a) { timing_start(); if(!is_valid_address(a) { report_and_abort(); } *a = 0x1234; timing_end(); } 28

29 Cost Distribution Equally distribute overhead to variants so that they execute at the same speed Foo Bar 17% 28% Foo Baz 17% 35% Variant 1 (52% overhead) Baz Qux 35% 20% Bar Qux 28% 20% Variant 2 (48% overhead) 29

30 Variant Generation Process Source code Security mechanisms (e.g., ASan, MSan, UBSan) Variant generator Costs profiling opt. Overhead distribution opt. Variant compiling Variants full w/ MSan w/ ASan... w/ UBSan w/ ASan... selective 30

31 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Syscall number Arguments Execution result sync slot 31

32 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel 1 Leader enters syscall Syscall number Arguments Execution result sync slot 32

33 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Syscall number Arguments Execution result sync slot 2 Followers enter syscall 33

34 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Syscall number Arguments Execution result 3 Kernel execute the syscall only once sync slot 34

35 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel 4 Leader fetches syscall result Syscall number Arguments Execution result sync slot 4 Followers fetch syscall result 35

36 Strict and Selective Lockstep Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Leader writes at the next available slot Followers read at their own speed sync ring buffer 36

37 Strict and Selective Lockstep Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Always strictly synchronized for write related system calls sync ring buffer 37

38 Multi-threading Support Before fork Original Execution group After fork New Execution group Leader New ring buffer Follower 1 Follower 2 38

39 Multi-threading Support Before fork Original Execution group Works if there is no interleaving After fork between threads New Execution group Leader New ring buffer Follower 1 Follower 2 39

40 Multi-threading Support Leader Follower 1 Follower 2 Userspace Kernel Record Enforce Enforce Total order of lock acquisition and releases 40

41 Multi-threading Support Leader Follower 1 Follower 2 Userspace Kernel Works under Record weak determinism Enforce Enforce (data race-free programs) Implementation specific (pthread APIs only) Total order of lock acquisition and releases 41

42 Evaluate Bunshin Robustness and Security Efficiency and Scalability Protection Distribution Case Studies 42

43 Robustness Benchmark Single/Multi-thread Featuer Pass? SPEC CPU2006 Single SPLASH-2x Multi CPU Intensive PARSEC Multi 6 out of 13 lighttpd Single I/O Intensive nginx Multi python, php Single Interpreter 43

44 Security RIPE Benchmark Config Succeed Probabilistic Failed Not possible Default AddressSanitizer Bunshin Real-world CVEs Config CVE Exploits Sanitizer Detect nginx Blind ROP AddressSanitizer cpython Integer overflow AddressSanitizer php Type confusion AddressSanitizer openssl-1.0.1a Heartbleed AddressSanitizer httpd Null dereference UndefinedBehaviorSanitizer 44

45 Performance Benchmark Items Strict-Lockstep Selective-Lockstep Max 17.5% 14.7% SPEC CPU2006 (19 Programs) Min 1.6% 1.0% Ave 8.6% 5.6% Max 21.4% 18.9% SPLASH-2X / PARSEC (19 Programs) Min 10.7% 6.6% Ave 16.6% 14.5% lighttpd 1MB File Request nginx 1MB File Request Ave 1.44% 1.21% Ave 1.71% 1.41% 45

46 Performance Highlights Low overhead (5% - 16%) for standard benchmarks Negligible overhead (<= 2%) for server programs Extra cost of ensuring weak determinism is 8% Selective-lockstep saves around 3% overhead 46

47 Scalability - Number of Variants Ave Max Min 37.6 Sync Overhead (%) Number of variants 47

48 Scalability - Number of Variants Ave Max Min 37.6 Sync Overhead (%) The number of variants Bunshin can support with a reasonable 17.2 overhead depends on machine configurations and program characteristics Number of variants 48

49 Scalability - System Load Ave Max Min 13 Sync Overhead (%) % 50% 99% Number of variants 49

50 Scalability - System Load Ave Max Min 13 Sync Overhead (%) 6.4 Bunshin works well in all levels of system load (i.e., Bunshin does not require exclusive cores) % 50% 99% Number of variants 50

51 Check Distribution - ASan Overhead (%) Overhead (%) Whole V1 V2 Bunshin Whole V1 V2 V3 Bunshin 51

52 Sanitizer Distribution - UBSan Overhead (%) Overhead (%) Whole V1 V2 Bunshin Whole V1 V2 V3 Bunshin 52

53 Unifying LLVM Sanitizers ASan MSan UBSan Bunshin Overhead (%) gobmk povray h264ref average 53

54 Unifying LLVM Sanitizers ASan MSan UBSan Bunshin Overhead (%) With 165 an average of 5% more slowdown, 141 Bunshin can seamlessly unify all three LLVM sanitizers gobmk povray h264ref average 54

55 Limitations and Future Work Finer-grained check distribution Sanitizer integration Record-and-replay 55

56 Conclusion It is feasible to achieve both comprehensive protection and high throughput with an N-version system Bunshin is effective in reducing slowdown caused by sanitizers 107% 47.1% for ASan, 228% 94.5% for UBSan Bunshin can seamlessly unify three LLVM sanitizers with 5% extra slowdown (Source code will be released soon) 56

57 Enhance System Security Through Diversity Input Input Virtualization Bunshin (ATC 17) ASan MSan UBSan Zend Future work Zend HHVM JPHP Linux PlatPal (Security 17) Linux Windows MacOS Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 57 Output

58 PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Tech Presented at the 2017 USENIX Security Symposium (Security 17) 58

59 Malicious Documents On the Rise 59

60 60

61 61

62 Adobe Components Exploited Element parser JavaScript engine 137 CVEs in 2015 Font manager 227 CVEs in 2016 System dependencies 62

63 Maldoc Formula Flexibility of doc spec A large attack surface More opportunities to profit Less caution from users 63

64 Battle against Maldoc - A Survey Category Focus Work Year Detection JavaScript PJScan 2011 Lexical analysis JavaScript Vatamanu et al Token clustering JavaScript Lux0r 2014 API reference classification Static JavaScript MPScan 2013 Shellcode and opcode sig Metadata PDF Malware Slayer 2012 Linearized object path Metadata Srndic et al Hierarchical structure Metadata PDFrate 2012 Content meta-features Both Maiorca et al Many heuristics combined JavaScript MDScan 2011 Shellcode and opcode sig JavaScript PDF Scrutinizer 2012 Known attack patterns Dynamic JavaScript ShellOS 2011 Memory access patterns JavaScript Liu et al Common attack behaviors Memory CWXDetector 2012 Violation of invariants 64

65 Reliance on External PDF Parser Category Focus Work Year Detection External Parser? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig Yes JavaScript PDF Scrutinizer 2012 Known attack patterns Yes Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors No Memory CWXDetector 2012 Violation of invariants No 65

66 Reliance on External PDF Parser Category Focus Work Year Detection External Parser? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Parser-confusion attacks Metadata Srndic et al Hierarchical structure Yes (Carmony et al., NDSS 16) Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig Yes JavaScript PDF Scrutinizer 2012 Known attack patterns Yes Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors No Memory CWXDetector 2012 Violation of invariants No 66

67 Reliance on Machine Learning Category Focus Work Year Detection Machine Learning? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig No JavaScript PDF Scrutinizer 2012 Known attack patterns No Dynamic JavaScript ShellOS 2011 Memory access patterns No JavaScript Liu et al Common attack behaviors No Memory CWXDetector 2012 Violation of invariants No 67

68 Reliance on Machine Learning Category Focus Work Year Detection Machine Learning? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Automatic classifier evasions Metadata Srndic et al Hierarchical structure Yes (Xu et al., NDSS 16) Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig No JavaScript PDF Scrutinizer 2012 Known attack patterns No Dynamic JavaScript ShellOS 2011 Memory access patterns No JavaScript Liu et al Common attack behaviors No Memory CWXDetector 2012 Violation of invariants No 68

69 Reliance on Known Attacks Category Focus Work Year Detection Known Attacks? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig Yes Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig Yes JavaScript PDF Scrutinizer 2012 Known attack patterns Yes Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors Yes Memory CWXDetector 2012 Violation of invariants No 69

70 Reliance on Known Attacks Category Focus Work Year Detection Known Attacks? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig Yes Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes How about zero-day attacks? Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig Yes JavaScript PDF Scrutinizer 2012 Known attack patterns Yes Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors Yes Memory CWXDetector 2012 Violation of invariants No 70

71 Reliance on Detectable Discrepancy (between benign and malicious docs) Category Focus Work Year Detection Discrepancy? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig No JavaScript PDF Scrutinizer 2012 Known attack patterns No Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors Yes Memory CWXDetector 2012 Violation of invariants No 71

72 Reliance on Detectable Discrepancy (between benign and malicious docs) Category Focus Work Year Detection Discrepancy? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Mimicry and reverse mimicry attacks Metadata Srndic et al Hierarchical structure Yes (Srndic et al., Oakland 14 and Maiorca et al, AsiaCCS 13) Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig No JavaScript PDF Scrutinizer 2012 Known attack patterns No Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors Yes Memory CWXDetector 2012 Violation of invariants No 72

73 Highlights of the Survey Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy Parser-confusion attacks Automatic classifier evasion Zero-day attacks Mimicry and reverse mimicry 73

74 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 74

75 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 75

76 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 76

77 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 77

78 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 78

79 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 79

80 A Motivating Example A CVE PoC against Adobe Reader SHA-1: d cb0b4bfcc73fc007bfeb6d84 80

81 81

82 82

83 Platform Diversity as A Heuristic When the same document is opened across different platforms: A benign document behaves the same A malicious document behaves differently 83

84 Questions for PlatPal What is a behavior? What is a divergence? How to trace them? How to compare them? 84

85 PlatPal Basic Setup Virtual Machine 1? Virtual Machine 2 Adobe Reader Adobe Reader Windows Host MacOS Host 85

86 PlatPal Dual-Level Tracing Virtual Machine 1? Virtual Machine 2 Adobe Reader Internal Tracer Traces of PDF processing Adobe Reader Internal Tracer Windows Host MacOS Host 86

87 PlatPal Dual-Level Tracing Virtual Machine 1? Virtual Machine 2 Adobe Reader Internal Tracer Traces of PDF processing Adobe Reader Internal Tracer Syscalls External Tracer Windows Host Impacts on host platform Syscalls External Tracer MacOS Host 87

88 PlatPal Internal Tracer Adobe Reader Internal Tracer COS object parsing PD tree construction Script execution Other actions Element rendering Implemented as an Adobe Reader plugin. Hooks critical functions and callbacks during the PDF processing lifecycle. Very fast and stable across Adobe Reader versions. 88

89 PlatPal External Tracer Virtual Machine Adobe Reader Filesystem Operations Network Activities Syscalls External Tracer Program Executions Normal Exit or Crash Host Platform Implemented based on NtTrace (for Windows) and Dtrace (for MacOS). Resembles high-level system impacts in the same manner as Cuckoo guest agent. Starts tracing only after the document is loaded into Adobe Reader. 89

90 PlatPal Automated Workflow PlatPal <file-to-check> Restore Clean Snapshot Restore Clean Snapshot Launch Adobe Reader Launch Adobe Reader Attach External Tracer Attach External Tracer Open PDF Open PDF Drive PDF by Internal Tracer Drive PDF by Internal Tracer Dump Traces Dump Traces Windows VM Compare Traces MacOS VM 90

91 Evaluate PlatPal Robustness against benign samples A benign document behaves the same? Effectiveness against malicious samples A malicious document behaves differently? Speed and resource usages 91

92 Robustness 1000 samples from Google search. 30 samples that use advanced features in PDF standards from PDF learning sites. Sample Type Number of Samples Divergence Detected? (i.e., False Positive) Plain PDF 966 No Embedded fonts 34 No JavaScript code 32 No AcroForm 17 No 3D objects 2 No 92

93 Effectiveness 320 malicious samples from VirusTotal with CVE labels. Restricted to analyze CVEs published after Use the most recent version of Adobe Reader when the CVE is published. 93

94 Effectiveness Analysis Results of 320 Maldoc Samples 24% 65% 11% No Divergence Both Crash Divergence 94

95 Effectiveness Analysis Results of 320 Maldoc Samples Breakdown of 77 potentially false positives 24% 25% 65% 11% 47% 3% 26% No Divergence 95 Targets old versions Mis-classified by AV vendor No malicious activity trigerred Unknown

96 Time and Resource Usages Average Analysis Time Breakdown (unit. Seconds) Item Windows MacOS Snapshot restore Document parsing Script execution Element rendering Total Resource Usages 2GB memory per running virtual machine. 60GB disk space for Windows and MacOS snapshots that each corresponds to one of the 6 Adobe Readers versions. 96

97 Evaluation Highlights Confirms our fundamental assumption in general: benign document behaves the same malicious document behaves differently PlatPal is subject to the pitfalls of dynamic analysis i.e., prepare the environment to lure the malicious behaviors Incurs reasonable analysis time to make PlatPal practical 97

98 Further Analysis What could be the root causes of these divergences? 98

99 Diversified Factors across Platforms Category Factor Windows MacOS Shellcode Creation Memory Management Platform Features 99

100 Diversified Factors across Platforms Category Factor Windows MacOS Shellcode Creation Syscall semantics Both the syscall number and the register set used to hold syscall arguments are different Calling convention rcx, rdx, r8 for first 3 args rdi, rsi, rdx for first 3 args Library dependencies e.g., LoadLibraryA e.g. dlopen Memory Management Platform Features 100

101 Diversified Factors across Platforms Category Factor Windows MacOS Shellcode Creation Syscall semantics Both the syscall number and the register set used to hold syscall arguments are different Calling convention rcx, rdx, r8 for first 3 args rdi, rsi, rdx for first 3 args Library dependencies e.g., LoadLibraryA e.g. dlopen Memory Management Memory layout Offset from attack point (e.g., overflowed buffer) to target address (e.g., vtable entries) are different Heap management Segment heap Magazine malloc Platform Features 101

102 Diversified Factors across Platforms Category Factor Windows MacOS Shellcode Creation Syscall semantics Both the syscall number and the register set used to hold syscall arguments are different Calling convention rcx, rdx, r8 for first 3 args rdi, rsi, rdx for first 3 args Library dependencies e.g., LoadLibraryA e.g. dlopen Memory Management Memory layout Offset from attack point (e.g., overflowed buffer) to target address (e.g., vtable entries) are different Heap management Segment heap Magazine malloc Executable format COM, PE, NE Mach-O Platform Features Filesystem semantics \ as separator, prefixed drive letter C:\ / as separator, no prefixed drive letter Config and info hub registry proc Expected programs MS Office, IE, etc Safari, etc 102

103 Back to The Motivating Example 1. Allocate bytes chunks 2. Free 1 in every Load a 300-byte malicious BMP image 4. Corrupt heap metadata due to a buffer overflow 5. Free BMP image, but what is actually freed is slot 9 6. A vtable of 300-byte is allocated on slot 9, which is attacker controlled 103

104 Another Case Study CVE PoC Example 104

105 Bypass PlatPal? An attacker has to simultaneously compromise all platforms in order to bypass PlatPal. 105

106 Limitations of PlatPal User-interaction driven attacks Social engineering attacks e.g., fake password prompt Other none-determinism to cause divergences e.g., JavaScript gettime or RNG functions 106

107 Potential Deployment of PlatPal Not suitable for on-device analysis. Best suited for cloud storage providers which can scan for maldocs among existing files or new uploads. Also fits the model of online malware scanning services like VirusTotal. As a complementary scheme, PlatPal can be integrated with prior works to provide better prediction accuracy. 107

108 Conclusion It is feasible to harvest platform diversity for malicious document detection. PlatPal raises no false alarms in benign samples and detects a variety of behavioral discrepancies in malicious samples. PlatPal is scalable with various ways to deploy and integrate. (Source code will be released soon) 108

109 Future Works on Diversity Framework Implementation diversity Case study: PHP interpreters: Zend vs HHVM Integration with fuzzing Divergence as an indicator of exception, in addition to crashes and failed assertions Integration with symbolic execution Test whether two functionally similar modules enforce the same sequence and types of checks 109

110 Future Works on Diversity Framework Implementation diversity Case study: PHP interpreters: Zend vs HHVM Integration with fuzzing Divergence as an indicator of exception, in addition to crashes and failed assertions Integration with symbolic execution Test whether two functionally similar modules enforce the same sequence and types of checks 110

111 Future Works on Diversity Framework Implementation diversity Case study: PHP interpreters: Zend vs HHVM Integration with fuzzing Divergence as an indicator of exception, in addition to crashes and failed assertions Integration with symbolic execution Test whether two functionally similar modules enforce the same sequence and types of checks 111

112 Publications 1. Checking Open-Source License Violation and 1-day Security Risk at Large Scale Ruian Duan, Ashish Bijlani, Meng Xu, Taesoo Kim, and Wenke Lee In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS'17) 2. PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu, and Taesoo Kim In Proceedings of the 26th USENIX Security Symposium (Security'17) 3. Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim, and Wenke Lee In Proceedings of the 2017 USENIX Annual Technical Conference (ATC'17) 4. Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques Meng Xu, Chengyu Song, Yang ji, Ming-Wei Shih, Kangjie Lu, Cong Zheng, Ruian Duan, Yeongjin Jang, Byoungyoung Lee, Chenxiong Qian, Sangho Lee, and Taesoo Kim In ACM Computing Surveys (CSUR) Volume 49, Issue 2, August UCognito: Private Browsing without Tears Meng Xu, Yeongjin Jang, Xinyu Xing, Taesoo Kim, and Wenke Lee. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS'15) 112