Abstract image of a woman sitting on books and studying on a laptop

Monitoring Systems & Binaries

Marcus Botacin, profile picture
Marcus Botacin

The document discusses monitoring systems and binaries in the context of malware analysis, detailing various software-based and hardware-assisted solutions and evasion techniques employed by malware. It covers topics such as policy enforcement, logging, forensics, and debugging, offering insights into real-world malware behavior and anti-analysis tactics. Additionally, it explores the pros and cons of specific hardware features and introduces a proposed framework for malware analysis.

Science
1 of 57
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Monitoring Systems & Binaries Marcus Botacin1 1Informatics - Federal University of Parana (UFPR) - Brazil mfbotacin@inf.ufpr.br November 2018 Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra About Me Malware Analyst (2012) BsC. Computer Engineer @ UNICAMP (2015) Sandbox Development MsC. Computer Science @ UNICAMP (2017) Hardware-Assisted Malware Analysis PhD. Computer Science @ UFPR (Present) Hardware-Assisted Malware Detection AntiVirus Evaluation Future Threats Contextual and Social Malware effects Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Why Monitoring ? Policy Enforcement Logging Forensics Debugging Malware Analysis Reverse Engineer Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Real Trace Examples 1 7/4/2014 −13:5:1.895| DeleteOperation |2032|C: deposito . exe |C: ProgramData r r . t x t | 1 7/4/2014 −13:3:48.294| CreateProcess |3028|C: Monitor Malware v i s u a l i z a r . exe |2440|C: WindowsSysWOW64 d l l . exe 1 2014−05−14 20:02:40.963113 10.10.100.101 XX. YY. ZZ.121 HTTP 290 GET /. swim01/ c o n t r o l . php? i a&mi=00B5AB4E−47098BC3 HTTP/1.1 Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Function Interposition Figure: Source: https://www.malwaretech.com/2015/01/ inline-hooking-for-programmers-part-1.html Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Techniques I Kernel Tables System Service Dispatch Table (SSDT) Interrupt Descriptor Table (IDT) Global Descriptor Table (GDT) Userland Tables API hooking DLL injection Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Techniques II Binary Patching Inline hooking OS Support Detours Callbacks Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Real malware claiming a registry problem when an anti-analysis trick succeeded. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Commercial solution armored with anti-debug technique. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Detecting Analysis Procedures 1 i f ( IsDebuggerPresent () ) 2 p r i n t f (” debuggedn ”) ; 3 e l s e 4 p r i n t f (”NO DBGn ”) ; 1 cmp [ eax+0xe9 ] , eax ; ; 0xe9 = JMP 2 pop rbp Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Anti-Analysis Summary Table: Anti-Analysis: Tricks summary. Malware samples may employ multiple techniques to evade distinct analysis procedures. Technique Description Reason Implementation Anti Check if running Blocks reverse Fingerprinting Debug inside a debugger engineering attempts Anti Check if running Analysts use VMs Execution VM inside a VM for scalability Side-effect Anti Fool disassemblers AV signatures may Undecidable Disassembly to generate wrong opcodes be based on opcodes Constructions Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Transparency 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Hardware Features Summary Technique PROS CONS Gaps HVM Ring -1 Hypervisor High development overhead SMM Ring -2 BIOS High development implementation cost AMT Ring -3 Chipset No malware code change analysis solution HPCs Lightweight Context-limited No malware information analysis solution GPU Easy to program No register No introspection data procedures SGX Isolates goodware Also isolates No enclave malware inspection SOCs Tamper-proof Passive Raise alarms components Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra HVM Figure: HVM operating layers . Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra HVM Figure: Ether Sandbox Exits. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra SMM Figure: Operation modes. Source: https://tinyurl.com/l2uqr8d Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Figure: SMI generation. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra A ring to rule them all! Figure: Privileged rings. Figure: New privileged rings. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Isolated Enclaves Figure: SGX Memory Protection Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra DMA Attacks I Figure: Hypervisor Attack . Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra DMA Attacks II Figure: Source: https: //www.intel.com/content/dam/www/public/us/en/documents/ reference-guides/pcie-device-security-enhancements.pdf . Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra SGX Malware Figure: SGX Malware Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra References Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys. Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security. The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Conclusions Thanks Tilo for hosting me. Open to hear your questions. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Proposed Framework Figure: Proposed framework architecture. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Local Vector Table (LVT). Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is CFG reconstruction possible? Figure: Code block identification. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Identified tricks 1 0x190 xor eax , eax 2 0x192 jnz 0x19c 1 0x180 push 0x10a 2 0x185 r e t Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Identified tricks 1 0x340 cmp eax ,0 xe9 2 0x345 jnz 0x347 1 0x400 QWORD PTR f s :0 x0 , rsp 2 0x409 mov rax ,QWORD PTR [ rsp+0xc ] 3 0x40e cmp rbx ,QWORD PTR [ rax+0x4 ] Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Suspending Processes EnumProcessThreads + SuspendThread. DebugActiveProcess. NtSuspendProcess. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Integration Figure: GDB integration. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Gadget-size policy Figure: KBouncer’s exploit stack. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Exploit Analysis 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution easy to implement? Lines of Code comparison 100 1000 10000 100000 1×106 Ether:Comp Ether:Xen Ether:Patches Ether:Patch Ether:Ctl MAVMM:Comp MAVMM:Rep Bit:Comp Our:Comp Our:Cli Our:Drv Our:Scr Lines of Code by solution Solution Figure: Lines of Code by solution. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution portable? Talking about Linux 1 s t a t i c i n i t i n t b t s i n i t ( void ) 2 bts pmu . c a p a b i l i t i e s = PERF PMU CAP AUX NO SG | PERF PMU CAP ITRACE 3 bts pmu . t a s k c t x n r = p e r f s w c o n t e x t ; 4 bts pmu . e v e n t i n i t = b t s e v e n t i n i t ; 5 bts pmu . add = b t s e v e n t a d d ; 6 bts pmu . d e l = b t s e v e n t d e l ; 7 bts pmu . s t a r t = b t s e v e n t s t a r t ; 8 bts pmu . stop = b t s e v e n t s t o p ; 9 bts pmu . read = b t s e v e n t r e a d ; 10 r e t u r n p e r f p m u r e g i s t e r (&bts pmu , 11 ” i n t e l b t s ”,−1) Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution portable? Talking about Linux 1 p e r f i n i t (&pe , MMAP PAGES) ; 2 f c n t l ( g b l s t a t u s . fd evt , F SETOWN, get pid () ) ; 3 monitor loop ( p i d c h i l d , s o u t f i l e ) ; Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is solution’s overhead acceptable? Could the solution run in real-time? Task Base value System monitoring Penalty Benchmark monitoring Penalty Floating-point operations (op/s) 101530464 99221196 2.27% 97295048 4.17% Integer operations (op/s) 285649964 221666796 22.40% 219928736 23.01% MD5 Hashes (hash/s) 777633 568486 26.90% 568435 26.90% RAM transfer (MB/s) 7633 6628 13.17% 6224 18.46% HDD transfer (MB/s) 90 80 11.11% 75 16.67% Overall (benchm. pt) 518 470 9.27% 439 15.25% Monitoring Systems & Binaries FAU @ Erlangen

More Related Content

DOC
Cst 630 Enhance teaching / snaptutorial.com
Baileyabw
 
DOCX
CST 630 RANK Achievement Education--cst630rank.com
kopiko147
 
DOC
Cst 630 Inspiring Innovation--tutorialrank.com
PrescottLunt385
 
PDF
Cst 630 Education Organization-snaptutorial.com
robertlesew6
 
PDF
Cst 630 Believe Possibilities / snaptutorial.com
Davis11a
 
DOCX
Cst 630Education Specialist / snaptutorial.com
McdonaldRyan79
 
DOCX
CST 630 Effective Communication - snaptutorial.com
donaldzs8
 
DOCX
CST 630 Exceptional Education - snaptutorial.com
DavisMurphyA97
 
Cst 630 Enhance teaching / snaptutorial.com
Baileyabw
 
CST 630 RANK Achievement Education--cst630rank.com
kopiko147
 
Cst 630 Inspiring Innovation--tutorialrank.com
PrescottLunt385
 
Cst 630 Education Organization-snaptutorial.com
robertlesew6
 
Cst 630 Believe Possibilities / snaptutorial.com
Davis11a
 
Cst 630Education Specialist / snaptutorial.com
McdonaldRyan79
 
CST 630 Effective Communication - snaptutorial.com
donaldzs8
 
CST 630 Exceptional Education - snaptutorial.com
DavisMurphyA97
 

What's hot (19)

DOCX
CST 630 RANK Inspiring Innovation--cst630rank.com
KeatonJennings104
 
PDF
CST 630 RANK Become Exceptional--cst630rank.com
agathachristie113
 
PDF
CST 630 RANK Introduction Education--cst630rank.com
agathachristie266
 
DOCX
CST 630 RANK Educational Specialist--cst630rank.com
VSNaipaul15
 
PDF
CST 630 RANK Remember Education--cst630rank.com
chrysanthemu49
 
DOCX
CST 630 RANK Redefined Education--cst630rank.com
claric241
 
PDF
AUTOMATED PENETRATION TESTING: AN OVERVIEW
cscpconf
 
PDF
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET Journal
 
PDF
Security life cycle
Juan Perez
 
PPTX
Zero-bug Software, Mathematically Guaranteed
Ashley Zupkus
 
PPT
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Codenomicon
 
PDF
Hardware-Assisted Malware Analysis
Marcus Botacin
 
PDF
Towards 0-bug software in the automotive industry
Ashley Zupkus
 
PDF
Five Common Mistakes made when Conducting a Software FMECA
Ann Marie Neufelder
 
PPT
Learn software testing with tech partnerz 2
Techpartnerz
 
PDF
Mathematically Guaranteeing Code Correctness with TrustInSoft
Ashley Zupkus
 
PPTX
Introduction to Software Failure Modes Effects Analysis
Ann Marie Neufelder
 
PDF
Software Failure Modes Effects Analysis Overview
Ann Marie Neufelder
 
PDF
NASA Software Safety Guidebook
Vapula
 
CST 630 RANK Inspiring Innovation--cst630rank.com
KeatonJennings104
 
CST 630 RANK Become Exceptional--cst630rank.com
agathachristie113
 
CST 630 RANK Introduction Education--cst630rank.com
agathachristie266
 
CST 630 RANK Educational Specialist--cst630rank.com
VSNaipaul15
 
CST 630 RANK Remember Education--cst630rank.com
chrysanthemu49
 
CST 630 RANK Redefined Education--cst630rank.com
claric241
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
cscpconf
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET Journal
 
Security life cycle
Juan Perez
 
Zero-bug Software, Mathematically Guaranteed
Ashley Zupkus
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Codenomicon
 
Hardware-Assisted Malware Analysis
Marcus Botacin
 
Towards 0-bug software in the automotive industry
Ashley Zupkus
 
Five Common Mistakes made when Conducting a Software FMECA
Ann Marie Neufelder
 
Learn software testing with tech partnerz 2
Techpartnerz
 
Mathematically Guaranteeing Code Correctness with TrustInSoft
Ashley Zupkus
 
Introduction to Software Failure Modes Effects Analysis
Ann Marie Neufelder
 
Software Failure Modes Effects Analysis Overview
Ann Marie Neufelder
 
NASA Software Safety Guidebook
Vapula
 
Ad

Similar to Monitoring Systems & Binaries (20)

PDF
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
PDF
Análise de malware com suporte de hardware
Marcus Botacin
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
PPTX
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
PPTX
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
PPT
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
PPTX
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
PPTX
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PPT
13517398.ppt
HaipengCai1
 
PDF
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
PDF
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Fabio Rosato
 
PDF
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
PDF
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
PDF
Csw2016 d antoine_automatic_exploitgeneration
CanSecWest
 
PDF
x86 Software Reverse-Engineering, Cracking, and Counter-Measures 1st Edition ...
gobaadosks
 
PDF
Technical Workshop - Win32/Georbot Analysis
Positive Hack Days
 
PDF
Cyber security-briefing-presentation
sathiyamaha
 
PDF
Analisis Estatico y de Comportamiento de un Binario Malicioso
Conferencias FIST
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Análise de malware com suporte de hardware
Marcus Botacin
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Security research over Windows #defcon china
Peter Hlavaty
 
13517398.ppt
HaipengCai1
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Fabio Rosato
 
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Csw2016 d antoine_automatic_exploitgeneration
CanSecWest
 
x86 Software Reverse-Engineering, Cracking, and Counter-Measures 1st Edition ...
gobaadosks
 
Technical Workshop - Win32/Georbot Analysis
Positive Hack Days
 
Cyber security-briefing-presentation
sathiyamaha
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Conferencias FIST
 
Ad

More from Marcus Botacin (20)

PDF
Cross-Regional Malware Detection via Model Distilling and Federated Learning
Marcus Botacin
 
PDF
What do malware analysts want from academia? A survey on the state-of-the-pra...
Marcus Botacin
 
PDF
GPThreats: Fully-automated AI-generated malware and its security risks
Marcus Botacin
 
PDF
[Texas A&M University] Research @ Botacin's Lab
Marcus Botacin
 
PDF
Pilares da Segurança e Chaves criptográficas
Marcus Botacin
 
PDF
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PDF
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
PDF
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
PDF
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
PDF
Hardware-accelerated security monitoring
Marcus Botacin
 
PDF
How do we detect malware? A step-by-step guide
Marcus Botacin
 
PDF
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
PDF
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
PDF
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
PDF
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PDF
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
PDF
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
PDF
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
Cross-Regional Malware Detection via Model Distilling and Federated Learning
Marcus Botacin
 
What do malware analysts want from academia? A survey on the state-of-the-pra...
Marcus Botacin
 
GPThreats: Fully-automated AI-generated malware and its security risks
Marcus Botacin
 
[Texas A&M University] Research @ Botacin's Lab
Marcus Botacin
 
Pilares da Segurança e Chaves criptográficas
Marcus Botacin
 
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
Hardware-accelerated security monitoring
Marcus Botacin
 
How do we detect malware? A step-by-step guide
Marcus Botacin
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 

Recently uploaded (20)

PPTX
Substance Disorders- part different drugs change body
NizaAnne
 
PPTX
LIPID & AMINO ACID METABOLISM UNIT-III, B PHARM II SEMESTER
ARUN KUMAR
 
PDF
Communicating Health Policies to Diverse Populations (www.kiu.ac.ug)
publication11
 
PPTX
Platelet disorders - thrombocytopenia.pptx
AnnaMarie531858
 
PDF
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
PPTX
congenital heart diseases of burao university.pptx
eapdiaziz
 
PDF
The Future of Telehealth: Engineering New Platforms for Care (www.kiu.ac.ug)
publication11
 
PPT
1. INTRODUCTION TO EPIDEMIOLOGY.pptx for community medicine
olawooreteslim
 
PPT
Enhancing Laboratory Quality Through ISO 15189 Compliance
mdsgift
 
PPTX
limit test definition and all limit tests
pavanteja2396
 
PDF
Integrative Oncology: Merging Conventional and Alternative Approaches (www.k...
publication11
 
PPTX
SCIENCE 4 Q2W5 PPT.pptx Lesson About Plnts and animals and their habitat
irishjeancui
 
PPTX
Introcution to Microbes Burton's Biology for the Health
fliwertyfw154
 
PPTX
perinatal infections 2-171220190027.pptx
PoojithaPotnuru1
 
PDF
Chapter 3 - Human Development Poweroint presentation
GOOGLE
 
PPTX
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
PDF
Worlds Next Door: A Candidate Giant Planet Imaged in the Habitable Zone of ↵ ...
Sérgio Sacani
 
PPT
THE CELL THEORY AND ITS FUNDAMENTALS AND USE
nctpcctv
 
PPTX
Cells and Organs of the Immune System (Unit-2) - Majesh Sir.pptx
tkgauri1
 
PDF
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
Substance Disorders- part different drugs change body
NizaAnne
 
LIPID & AMINO ACID METABOLISM UNIT-III, B PHARM II SEMESTER
ARUN KUMAR
 
Communicating Health Policies to Diverse Populations (www.kiu.ac.ug)
publication11
 
Platelet disorders - thrombocytopenia.pptx
AnnaMarie531858
 
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
congenital heart diseases of burao university.pptx
eapdiaziz
 
The Future of Telehealth: Engineering New Platforms for Care (www.kiu.ac.ug)
publication11
 
1. INTRODUCTION TO EPIDEMIOLOGY.pptx for community medicine
olawooreteslim
 
Enhancing Laboratory Quality Through ISO 15189 Compliance
mdsgift
 
limit test definition and all limit tests
pavanteja2396
 
Integrative Oncology: Merging Conventional and Alternative Approaches (www.k...
publication11
 
SCIENCE 4 Q2W5 PPT.pptx Lesson About Plnts and animals and their habitat
irishjeancui
 
Introcution to Microbes Burton's Biology for the Health
fliwertyfw154
 
perinatal infections 2-171220190027.pptx
PoojithaPotnuru1
 
Chapter 3 - Human Development Poweroint presentation
GOOGLE
 
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
Worlds Next Door: A Candidate Giant Planet Imaged in the Habitable Zone of ↵ ...
Sérgio Sacani
 
THE CELL THEORY AND ITS FUNDAMENTALS AND USE
nctpcctv
 
Cells and Organs of the Immune System (Unit-2) - Majesh Sir.pptx
tkgauri1
 
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 

Monitoring Systems & Binaries

  • 1. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Monitoring Systems & Binaries Marcus Botacin1 1Informatics - Federal University of Parana (UFPR) - Brazil mfbotacin@inf.ufpr.br November 2018 Monitoring Systems & Binaries FAU @ Erlangen
  • 2. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 3. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 4. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra About Me Malware Analyst (2012) BsC. Computer Engineer @ UNICAMP (2015) Sandbox Development MsC. Computer Science @ UNICAMP (2017) Hardware-Assisted Malware Analysis PhD. Computer Science @ UFPR (Present) Hardware-Assisted Malware Detection AntiVirus Evaluation Future Threats Contextual and Social Malware effects Monitoring Systems & Binaries FAU @ Erlangen
  • 5. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Why Monitoring ? Policy Enforcement Logging Forensics Debugging Malware Analysis Reverse Engineer Monitoring Systems & Binaries FAU @ Erlangen
  • 6. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Real Trace Examples 1 7/4/2014 −13:5:1.895| DeleteOperation |2032|C: deposito . exe |C: ProgramData r r . t x t | 1 7/4/2014 −13:3:48.294| CreateProcess |3028|C: Monitor Malware v i s u a l i z a r . exe |2440|C: WindowsSysWOW64 d l l . exe 1 2014−05−14 20:02:40.963113 10.10.100.101 XX. YY. ZZ.121 HTTP 290 GET /. swim01/ c o n t r o l . php? i a&mi=00B5AB4E−47098BC3 HTTP/1.1 Monitoring Systems & Binaries FAU @ Erlangen
  • 7. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 8. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Function Interposition Figure: Source: https://www.malwaretech.com/2015/01/ inline-hooking-for-programmers-part-1.html Monitoring Systems & Binaries FAU @ Erlangen
  • 9. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Techniques I Kernel Tables System Service Dispatch Table (SSDT) Interrupt Descriptor Table (IDT) Global Descriptor Table (GDT) Userland Tables API hooking DLL injection Monitoring Systems & Binaries FAU @ Erlangen
  • 10. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Techniques II Binary Patching Inline hooking OS Support Detours Callbacks Monitoring Systems & Binaries FAU @ Erlangen
  • 11. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 12. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Real malware claiming a registry problem when an anti-analysis trick succeeded. Monitoring Systems & Binaries FAU @ Erlangen
  • 13. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Commercial solution armored with anti-debug technique. Monitoring Systems & Binaries FAU @ Erlangen
  • 14. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Monitoring Systems & Binaries FAU @ Erlangen
  • 15. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Detecting Analysis Procedures 1 i f ( IsDebuggerPresent () ) 2 p r i n t f (” debuggedn ”) ; 3 e l s e 4 p r i n t f (”NO DBGn ”) ; 1 cmp [ eax+0xe9 ] , eax ; ; 0xe9 = JMP 2 pop rbp Monitoring Systems & Binaries FAU @ Erlangen
  • 16. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Anti-Analysis Summary Table: Anti-Analysis: Tricks summary. Malware samples may employ multiple techniques to evade distinct analysis procedures. Technique Description Reason Implementation Anti Check if running Blocks reverse Fingerprinting Debug inside a debugger engineering attempts Anti Check if running Analysts use VMs Execution VM inside a VM for scalability Side-effect Anti Fool disassemblers AV signatures may Undecidable Disassembly to generate wrong opcodes be based on opcodes Constructions Monitoring Systems & Binaries FAU @ Erlangen
  • 17. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 18. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Transparency 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Monitoring Systems & Binaries FAU @ Erlangen
  • 19. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Hardware Features Summary Technique PROS CONS Gaps HVM Ring -1 Hypervisor High development overhead SMM Ring -2 BIOS High development implementation cost AMT Ring -3 Chipset No malware code change analysis solution HPCs Lightweight Context-limited No malware information analysis solution GPU Easy to program No register No introspection data procedures SGX Isolates goodware Also isolates No enclave malware inspection SOCs Tamper-proof Passive Raise alarms components Monitoring Systems & Binaries FAU @ Erlangen
  • 20. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra HVM Figure: HVM operating layers . Monitoring Systems & Binaries FAU @ Erlangen
  • 21. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra HVM Figure: Ether Sandbox Exits. Monitoring Systems & Binaries FAU @ Erlangen
  • 22. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra SMM Figure: Operation modes. Source: https://tinyurl.com/l2uqr8d Monitoring Systems & Binaries FAU @ Erlangen
  • 23. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Figure: SMI generation. Monitoring Systems & Binaries FAU @ Erlangen
  • 24. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra A ring to rule them all! Figure: Privileged rings. Figure: New privileged rings. Monitoring Systems & Binaries FAU @ Erlangen
  • 25. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Isolated Enclaves Figure: SGX Memory Protection Monitoring Systems & Binaries FAU @ Erlangen
  • 26. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 27. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra DMA Attacks I Figure: Hypervisor Attack . Monitoring Systems & Binaries FAU @ Erlangen
  • 28. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra DMA Attacks II Figure: Source: https: //www.intel.com/content/dam/www/public/us/en/documents/ reference-guides/pcie-device-security-enhancements.pdf . Monitoring Systems & Binaries FAU @ Erlangen
  • 29. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra SGX Malware Figure: SGX Malware Monitoring Systems & Binaries FAU @ Erlangen
  • 30. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 31. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra References Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys. Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security. The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques. Monitoring Systems & Binaries FAU @ Erlangen
  • 32. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Conclusions Thanks Tilo for hosting me. Open to hear your questions. Monitoring Systems & Binaries FAU @ Erlangen
  • 33. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 34. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Proposed Framework Figure: Proposed framework architecture. Monitoring Systems & Binaries FAU @ Erlangen
  • 35. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Monitoring Systems & Binaries FAU @ Erlangen
  • 36. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Local Vector Table (LVT). Monitoring Systems & Binaries FAU @ Erlangen
  • 37. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Monitoring Systems & Binaries FAU @ Erlangen
  • 38. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Monitoring Systems & Binaries FAU @ Erlangen
  • 39. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Monitoring Systems & Binaries FAU @ Erlangen
  • 40. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Monitoring Systems & Binaries FAU @ Erlangen
  • 41. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is CFG reconstruction possible? Figure: Code block identification. Monitoring Systems & Binaries FAU @ Erlangen
  • 42. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Identified tricks 1 0x190 xor eax , eax 2 0x192 jnz 0x19c 1 0x180 push 0x10a 2 0x185 r e t Monitoring Systems & Binaries FAU @ Erlangen
  • 43. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Identified tricks 1 0x340 cmp eax ,0 xe9 2 0x345 jnz 0x347 1 0x400 QWORD PTR f s :0 x0 , rsp 2 0x409 mov rax ,QWORD PTR [ rsp+0xc ] 3 0x40e cmp rbx ,QWORD PTR [ rax+0x4 ] Monitoring Systems & Binaries FAU @ Erlangen
  • 44. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Monitoring Systems & Binaries FAU @ Erlangen
  • 45. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Monitoring Systems & Binaries FAU @ Erlangen
  • 46. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Monitoring Systems & Binaries FAU @ Erlangen
  • 47. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Suspending Processes EnumProcessThreads + SuspendThread. DebugActiveProcess. NtSuspendProcess. Monitoring Systems & Binaries FAU @ Erlangen
  • 48. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Integration Figure: GDB integration. Monitoring Systems & Binaries FAU @ Erlangen
  • 49. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Monitoring Systems & Binaries FAU @ Erlangen
  • 50. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Monitoring Systems & Binaries FAU @ Erlangen
  • 51. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Gadget-size policy Figure: KBouncer’s exploit stack. Monitoring Systems & Binaries FAU @ Erlangen
  • 52. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Monitoring Systems & Binaries FAU @ Erlangen
  • 53. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Exploit Analysis 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Monitoring Systems & Binaries FAU @ Erlangen
  • 54. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution easy to implement? Lines of Code comparison 100 1000 10000 100000 1×106 Ether:Comp Ether:Xen Ether:Patches Ether:Patch Ether:Ctl MAVMM:Comp MAVMM:Rep Bit:Comp Our:Comp Our:Cli Our:Drv Our:Scr Lines of Code by solution Solution Figure: Lines of Code by solution. Monitoring Systems & Binaries FAU @ Erlangen
  • 55. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution portable? Talking about Linux 1 s t a t i c i n i t i n t b t s i n i t ( void ) 2 bts pmu . c a p a b i l i t i e s = PERF PMU CAP AUX NO SG | PERF PMU CAP ITRACE 3 bts pmu . t a s k c t x n r = p e r f s w c o n t e x t ; 4 bts pmu . e v e n t i n i t = b t s e v e n t i n i t ; 5 bts pmu . add = b t s e v e n t a d d ; 6 bts pmu . d e l = b t s e v e n t d e l ; 7 bts pmu . s t a r t = b t s e v e n t s t a r t ; 8 bts pmu . stop = b t s e v e n t s t o p ; 9 bts pmu . read = b t s e v e n t r e a d ; 10 r e t u r n p e r f p m u r e g i s t e r (&bts pmu , 11 ” i n t e l b t s ”,−1) Monitoring Systems & Binaries FAU @ Erlangen
  • 56. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution portable? Talking about Linux 1 p e r f i n i t (&pe , MMAP PAGES) ; 2 f c n t l ( g b l s t a t u s . fd evt , F SETOWN, get pid () ) ; 3 monitor loop ( p i d c h i l d , s o u t f i l e ) ; Monitoring Systems & Binaries FAU @ Erlangen
  • 57. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is solution’s overhead acceptable? Could the solution run in real-time? Task Base value System monitoring Penalty Benchmark monitoring Penalty Floating-point operations (op/s) 101530464 99221196 2.27% 97295048 4.17% Integer operations (op/s) 285649964 221666796 22.40% 219928736 23.01% MD5 Hashes (hash/s) 777633 568486 26.90% 568435 26.90% RAM transfer (MB/s) 7633 6628 13.17% 6224 18.46% HDD transfer (MB/s) 90 80 11.11% 75 16.67% Overall (benchm. pt) 518 470 9.27% 439 15.25% Monitoring Systems & Binaries FAU @ Erlangen