instruction subsets in software diversity malware project nguyet nguyen nov. 30 th 2004
Post on 18-Jan-2016
218 Views
Preview:
TRANSCRIPT
Instruction Subsets Instruction Subsets in in
Software DiversitySoftware Diversity
Instruction Subsets Instruction Subsets in in
Software DiversitySoftware Diversity
Malware ProjectMalware ProjectNguyet NguyenNguyet NguyenNov. 30Nov. 30thth 2004 2004
Motivation: Visit the company
Computer
•CPU is the main worker of the company Computer
•CPU joins a set of parts called Insts into robots called Softs
•Softs work at the Computer office•Computer stores some gold boxes in the office•Insts are delivered by DevelopersGold boxes have some holes on it The office door is opened
Computer’s Office
InstInst
InstInst
Software
CPU
Gold boxes
Motivation: meet Evil• Mr Evil knows how CPU works• Mr Evil knows the holes of gold
boxes•Evil creates a new array of Insts that CPU will assemble them in to a new kinds of Robots called Worms
•Worms can steal gold via the holes
Problems occurIn Computer Office
InstInst
InstInst
CPU
Gold boxes
SoftwareWorms
Bigger Problem: All companies
Current Solutions• Using a Gatekeeper before CPU• Dye the Insts with dying solution
Key• Gatekeeper applies rev-Key to
dyed InstsRandomizing
Instruction DIALECTS
Illustrator
InstInst
Inst
Inst
Inst
Hu hu, I cannot do anything
Is it good?• Portable? No• Performance? reduce• Security?
– Rely on the enforcement environment
– Key can be guessed
Subset
InstInst
Inst
Hu hu, I cannot do anything
Is Instruction Subset better?
• Portable• Performance: Hardware
Gatekeeper• Security:
– work without the enforcement environment
– Difference size of versions
Groups of Instructions• Divide the Instruction Set in to
Groups:– Group of unique instructions (UI)– Groups of equivalent instructions (EIs)
• New IS = UI + new EI– EI’s members are selected from each
of old EIs
Unique Instructions• Call• Int/Ret• Convert Instructions: Cbw, Cdq• Set/Clear Interrupt Flag: CLI, SLI• Ascii and Decimal Adjust: Aaa,
Aad• ESC, Halt• Lea• Lock• Nop• Push/Pop, PushF/PopF• Wait/FWait• In/Out
Groups of EIs• Load instructions: lds, lodsb, lodsw• Store instructions: sodsb, sodw• Branch instructions: jump, loop, repeat
35+5+5=45 insts• Move instructions: Mov, Movs, Movsx,
Movsz• Add/Sub: Add, Inc, Dec, Sub• Mul/Div: imul, mul, idiv, div• Test: ;• Interchange: Cmp and Change• Flags set: • Logical Operation: and, or, xor, not (4 insts)
Transformation• Some transformation is easy, others are
not• Transformation complexity depends
from other groupsEx:
• dec and sub• Jmp
Mov ax,0Je ax;
Instruction selecting in EI sets
• Insts with transformation complexity are statically omitted or allowed (50% of allowing)
• Inc, dec, mov, jmp
• Pick randomly 1 of remaining instructions
Does it work? • 3 questions:
– Is it possible for a worm to use only UI to complete its work?
– How many diverse subsets we have?– How long should a worm be to ensure
an acceptable rate of protection?
Question 1: UI is enough?
• NO• Why?
– A worm should use a Jump – A worm should use a load
• Verification?– CodeRed– Shapphire– Nimda– Unix worms: ADM Worm v1
Question 2: How diverse this approach
is?• The number of difference version we
have is:2number_of_static_instx number_of_EI1x…
• Depends on the number of EIs that we apply selecting process and how many instruction that we pick up in a set
Question 3: Performance?
• Not depends on how long a worm is
• It is how many different instruction a worm uses
• Using only opcode limits opportunities of subset diversity
Example: Sapphire• push• mov• xor• loop• lea• call• cmp• jz• or• shl• jmp
UI: push, call, lea
OI:
•Logical Operation: or,xor, cmp, shl
•Branch Operation: loop, jz, jmp
•Move Operation: movPERFOMANCE:
P(all insts pass)=2(3/4)(2/3)(1/45)(1/45)(1/2)
=10-4
Anything wrong?
How to enhance Diversity?• Determine how many instructions
needed to complete a worm? • Enhance diversity of UI by adding
addressing mode/operant mode• Complicated? Yes• How to reduce costs: apply with only
“important instructions”
High Level Hypothesis about worms
• Every worm needs to use a call• Every worm needs to use a push• Every worm needs communication instructions?• Every worm needs a load or a store• Every worm needs at least one of arithmetic
instructions
What are we need?
Push and Call• Push: 6 Operant Modes• Call: 30 Operant Modes
• 6 near• 8 far• 4 task• 12 gate
Example: Sapphire (II)• Callcall eaxcall dword ptr [esi]
• Push:push 42B0C9DCh
push eax
call esi
PERFOMANCE:
P(all call/push passed)=(1/6)(1/8)(1/6)(1/6)(1/6)
Issues? • Instruction Guessing?
– Worms may not be fast enough– People can try to guess from simple
to complicated instruction
• Hypothesis proof– Disassembled code– Static Analysis
ConclusionsNothing is perfectMore solutions of diversity better
diversity
Thank you
top related