diversity algorithms for worrisome software and networks (dawson)

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload

Randomize Stack Base and Allocation

Randomize Heap Base and Allocation

Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Diversity Algorithms for Worrisome Software and Networks

(DAWSON)

James Just, Nathan Li, Mark CornwellGlobal InfoTek, Inc.

Jeff Rowe, Tufan DemirUC Davis

R. SekarSUNY Stony Brook15 December 2005

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution DAWSON Overview

• Explores Biologically Inspired Diversity

• Automatically generates a large number of program variants– Variants differ in terms of memory layout

• Targets memory errors such as buffer overflows

• Implemented on Microsoft Windows

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Agenda

• Introduction

• Development Update

• Testing Update

• Analytic Update

• Conclusions

Diversity System Functional Architecture

Original Program

Modified PE File, Loader & System Calls

PRNG*

Translation

Wrapper

User Inputs

OtherSystem

Resources

Transformed In-memory

program

Normal user inputs work

Modifications transform original

stored program

OptionalAnnotation

File

Attacker (memory error exploits)

Some attacks fail because

vulnerability is not at assumed

address

Other attacks fail because

injected commands are wrong*Pseudo-Random Number Generator

Address randomization does not remove vulnerability but makes effect of attack unpredictable

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address ResolutionMulti-Layer Defense

Strategy

Layer 1 - Prevent Remote Exploit of Memory ErrorsLayer 1 - Prevent Remote Exploit of Memory Errors

Layer 2 - Prevent Injected Code from Properly ExecutingLayer 2 - Prevent Injected Code from Properly Executing

Layer 3 - Prevent Bypass of Layer 2Layer 3 - Prevent Bypass of Layer 2

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

USER.EXE USER.DLL SYS.DLL

Layer 1

Layer 2

CharacterizingDAWSON’s

Multi-Layer Defenses

Randomizebase of main and thread stack

Rebase DLLRandomize

Code Location

Non-Bypass-ability*

STACK HEAP

Randomizeheap base

Randomizeheap allocs

IAT Permutation

PEB/SEH Masking*

SYS.SYS

Writable memory Executable memoryKernel

memory

Exploit

PayloadLayer 3

Payload

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Development Update

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

DAWSON Development Phases

• Phase 1: First 6 months:– Diversity approaches

– Code transformation techniques

• Phase 2: Second 6 months– Windows randomization integration

– Application protection

• Phase 3:Third 6 months– Host protection

– Performance and memory efficiency

– Extensive tests

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution DAWSON on a Host

Randomized User Address Space

Randomization andProtection Layer:

OS: User address space layout creator

Remote Monitor & Controller (e.g.,

Blackboard)

Messages

Local Host Randomization Configuration

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

DAWSON Changes (Since July '05)

• Primary Stack Randomization– Native API Augmentation– Coming – Kernel driver integration

• System DLLs Base Randomization (Rebasing)– Kernel Mode Driver

• PEB/SEH protection– Debugging API

• 6 New Exploits• Extensive Testing

– Test in small– Test in large– Red team exercise

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution DLL Rebasing Issues

• Rebasing system DLLs like ntdll and kernel32– Solution: use kernel-mode driver to rebase at boot-time

• Cost Vs Benefit– Significant benefits: can break exploit and payload– Costs:

• Performance impact to relocate code• Memory impact due to reduced sharing across processes

– Options:• Baseline: Rebase and Share

– shared, but introduces common vulnerabilities across all apps

• Rebase on First Use• Rebase on Request

– Configurable via registry settings

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution DAWSON Second Layer

• Payload Execution Prevention– IAT permutation (Done prior to July PI meeting)

• IAT used to lookup addresses of functions in DLLs

• By permuting the order of IAT entries, attack code will access the wrong function

– PEB/SEH Protection (New)• PEB is a data structure with the addresses of common API

functions

• PEB is memory protected, accessing PEB raises an exception

• Exception Handler checks location of caller, if it is outside the program boundary, access is denied.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Rebasing Executables using Exception Handler

.text

stack

IAT

1

2

3

.text

IAT

21

2

3Address

Map

Exception Handler

with

Address Map

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Limitations

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Where Absolute Address Randomization Fails

• Non-pointer attacks– Overflow a buffer to corrupt nearby non-pointer data, e.g.,

string used as argument of execve– Relies on the ability to find security-critical data next to

vulnerable buffers: Not very easy.

• Attacks that can extract “randomization key”– “Information leakage attacks”– Relies on a vulnerability that sends back pointer values in a

response to a request

• Vulnerabilities shared by many other defenses– StackGuard, StackGhost, PointGuard and some ISR

implementations

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Repetitive attacks

• Double-pointer attack– AAR provides only limited protection

• Guessing attacks– Require of the order of 15K attempts

• Solutions– Layer 2 defenses– Automated response:

• Filtering based on automatically generated signature is a promising approach to address these

• [Liang et al ’05] generate successful signatures to reliably block 10 of 11 attacks in their test suite.

• Less than 10% performance overheads, no false positives.

Expected Attack Attempts for Conventional Attacks

Attack Name Effect 1 Effect 2 Expected attack attempts

Stack-smash Injected code 500K to 5M

Base ptr attack Write using corrupted ptr

Injected code 500K to 5M or more

Return-to-libc Existing code 15K

Format string Write using corrupted ptr

Injected code 15K

Heap overflow Write using corrupted ptr

Injected code 15K

Integer overflow (1) Write using corrupted ptr

Injected code 15K

Integer overflow (2) Injected code 15K

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Testing Update

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Implementation Status

• Kernel Driver: System DLLs randomization• Layer 1:

– 2-Level Stack Randomization, including primary stack– 2-level Heap Randomization– Application DLLs randomization – EXE randomization when .reloc is available (included in

synthetic vulnerable server)

• Layer 2:– IAT permute and library name erase integrated– SEH/PEB protection developed, NOT integrated

• Layer 3: Not integrated

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Testing Changes(Since July 05)

• Extended Benchmark Vulnerable Service to incorporate 15 vulnerabilities. – Extended Attack Corpus to 15 corresponding attacks

packaged in Metasploit.• Extensive internal testing

– Performed testing on Emulab to observe contributions of individual randomizations.

– Automated testing on small scale 3-node in-house testbed and used results to refine/debug randomization software.

– Built an iterative test to restart VulnSrv to support testing of brute force attacks.

• Conducted Red Team Experiment in November.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Vulnerable Service

Listening Thread

Vulnerable Service

Listening Thread

Vulnerable Service

Listening Thread

Metasploit Attack Center

Attack String

Vulnerable Service

Listening Thread

DAWSON Testing Platform

Monitoring

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Key Test Characteristics

• Vulnerabilities– Stack buffer Overflow– Format String– Integer Overflow– Heap Overflow– A function may have combinations of the

vulnerabilities

• Payloads:– Injected Code– Existing Code– Existing Program

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Test Demo

2 Dec 200512:12PMKmd+1111 w/ConflResolv1201

RandomizationBlocks most attacks from the test corpus.

All randomizationsturned on.

Single Kernel Randomization.

Processes re-randomize every process start.

Comparative Results

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Overall Layer 1 Effectivenesssta

ckov

_abs

stack

ov_e

sp

stack

ov_e

sp_e

xe

stack

ov_e

sp_n

tdll

stack

ov_e

sp_k

ernel3

2

stack

ov_rt

l

stack

ov_lf

p

integ

erov1

integ

erov2

fmrst

r1

heap

ov1

heap

ov2

heap

ov3

heap

ov4

heap

ov5

100%100%100%100%100%100%100%100%100% 100% 100%

100% 100%100%

100%

0% 5%0%

0% 0% 5% 6%5%

5%5%

5%

0%0%

0% 5%

0%0% 1%

0%0%

0% 0%0%

0% 6%

1%0%

0%0%

0%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%Benchmark attacks against unrandomized baseline avg. penetration rate =100%

With initial randomization, avg. penetration rate fell to 2.4%

After further engineering effort, avg. penetration rate fell to 0.56%

Test results show DAWSON randomization implementation is growing increasingly effective.

Further to go to approach theoretical limits.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Breakdown of Individual Randomization Effectiveness

none dll-only heap-only stack-only iat-only all-but-kmd none dll heap stack iat all"0000" "1000" "0100" "0010' "0001" "1111" "0000" "1000" "0100" "0010" "0001" "1111"

fmrstr1 2 0 2 2 2 0 2 0 2 2 2 0heapov1 2 0 2 2 2 0 2 0 2 2 2 0heapov2 2 0 0 0 2 0 0 0 0 0 0 0heapov3 2 0 0 0 2 0 2 0 0 0 2 0heapov4 2 0 0 0 2 0 0 0 0 0 0 0heapov5 2 0 2 2 2 0 2 0 2 2 2 0integerov1 2 0 2 2 2 0 2 0 2 1 2 0integerov2 2 0 2 2 2 0 2 0 2 2 2 0stackov_abs 2 1 0 0 2 0 2 1 0 0 2 0stackov_esp 2 0 2 0 2 0 0 0 0 0 0 0stackov_esp_exe 2 0 2 0 2 0 0 0 0 0 0 0stackov_esp_kernel32 2 2 2 2 2 2 0 0 0 0 0 0stackov_esp_ntdll 2 2 2 2 2 2 0 0 0 0 0 0stackov_lfp 2 0 2 2 2 0 2 0 2 2 2 0stackov_rtl 2 0 2 2 2 0 2 0 2 2 2 0

without Kernel Mode Driver (KMD) lilo with Kernel Mode Driver (KMD)

On unprotected system, all

baseline attacks succeed

Different randomization techniques are effective

against some attack classes and not others.

Most effective when all techniques are used in

combination.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Minor Performance Impacts

• Heap transformations cause 5% overhead for apps that are intensive in heap allocations

• Other transformations don’t add recurring cost– One-time overhead for relocation adds modestly to

the load-time

• Absolute address randomization does not change program locality– Most relocations occur at page granularity– Relative locations of objects unchanged within a

page

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Performance Impact

* Data collected on a Pentium 4 1.2GHz CPU with 768MB RAM

Defense Technology

Disk File Size

Memory Usage

Load Time Increase

Run Time Increase

DLL Base Randomization

None None < 1 millisec None

Stack Randomization


Heap Base Randomization


Heap Block Randomization

None Up to 16 bytes per block

None < 5%

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Improving the Test Suite

• Further Work– Add new exploits focusing on payload execution– Testing payload execution protection

• Offer to security community– A package to test memory defense technologies– Open source vulnerable service with advanced

memory errors and exploits (packaged as Metasploit modules)

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

DAWSON Red Team Exercise

•Layer 1 blocked 15 of 16 attacks (many reps)– Red team identified a new “double vulnerability” – This unintended combination of a stack-buffer

overflow and format-string vulnerabilities made the Red Team exercise a lot more interesting and useful!

•Layer 2 blocked the 16th attack

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Attack Outline

• Vulnerable code (simplified): void vulnerable(char *attack) {

char buf1[512], buf2[512]; strcpy(buf1, attack);sprintf(buf2, buf1);

}

• Attack– Guess a writable memory location X– Use format-string attack to inject code at X– Overflow buf2 to overwrite return address– Note: attack impossible if the order of declaration of buf1

and buf2 were interchanged!

• Use brute-force to guess X

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Attack Details: Layer I

raddr

char[512]bufmain

DWORD WINAPI FormatStrThread(LPVOID lparameter { char safebuf[4096]; nRet=recv(peersock,safeBuf,sizeof(safeBuf),0); formatStrAttack(safeBuf,nRet);}

evilchar[4096]safeBuf

form

atS

trA

ttac

k

MDVULN.dll – vulnerable service code

evil

1) First sprintf copies the attack string from safeBuf into buf.

2) Second sprintf interprets “496c” in format string overflowing waddr into the return address location.

3) “%229c%hn%229c%hn” manipulates #chars written to write a JMP ESP instruction into 2 bytes at waddr.

4) Return from formatStrAttack branches to waddr and executs JMP ESP instruction. At this time ESP points into expanded format string near bufmain..

5) ESP is manipulated to point to where shell code slid to inside the formatStrThread stack frame.

6) Normal return now branches to waddr where it executes the JMP ESP

7) ESP location contains shellcode on stack that gains control & bootstraps a DLL injection attack.

form

atS

trT

hrea

d

some page in memory

0x7ffdxxxx

JMP ESP

char[512]buf

void formatStrAttack(char *sbuffer, int nSize) { char buf[512]; char bufmain[512]; sprintf(buf, “String : %s”,sBuffer); // (1) sprintf(bufmain,buf); // (2)} // (4)

sprintf(void*dest, char*fmt,…)…interprets lots of % conversion spex…to access stack in flexible …ways

High

Lowsprin

tf

Arg2/fmt

Arg1/dest

waddr

(1)

(2)

Arg5Arg4Arg3

Addresses embedded at start of attack string get interpreted as arguments tosprintf(*dest,*fmt,arg1,arg2,arg3,…)

(3)

496

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Attack Details: Layer II

exploit

char[4096]safeBuf

parms

Shellcode

Metasploit shell code for DLL injection:

1. Uses PEB to look up GetProcAddress and LoadLibrary

2. Loads w32.dll and opens socket connection to call home.

3. Loads the injected DLL payload (hackmark.dll) into memory and tricks Windows into treating it as a and ordinary DLL linked & loaded.

4. Transfers execution to the init entry point in the DLL.

DAWSON Layer 2

Catches and stops PEB access since it made from code executing from the stack.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Estimating number of attempts needed

• Attacker needs to guess a writable memory location X• Probability of correctly guessing X

= fraction of writable memory in address space= 10MB/2GB = 0.005, for an app using 10MB data

• Vulnerable server uses 0.5MB, so probability of success should be about 1/4000

• But Red Team succeeded in 128 attempts! Why?– Red Team was varying only the leading 8 bits of address– PEB was not relocated, and happened to be located at an

address that matched the lower 24-bits used by Red Team– Red Team informed by the Blue team of this vulnerability

• And the possibility of injecting code into PEB

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Red Team Attack: Conclusions

• DAWSON robust against attacks that exploit any single vulnerability in vulnerable server

• Randomization is vulnerable to rare combinations of vulnerabilities

• To be effective, all memory regions should be randomized– Non-randomization of PEB was the reason for Red Team

to succeed in ~100 attempts as opposed to about ~4000– Ongoing work with kernel driver will relocate PEB/SEH,

thus addressing this weakness• Multi-layered approach is important

– Layer 2 was able to defeat the attack even though the attack got through layer 1.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Tech Transition

• Looking at Service IA entrance points, e.g.,– CECOM/CERDEC (S&TCD)– Navy (NMCI)– Air Force

• Initial ideas for commercial sales & support– Commercial partner– Spin-off– Other (GOTS)?

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Further Development• Issues

– Fixed PEB/TEB base location– Exception handler location– Initial process heap/CRT heap base randomization– Some things not exhaustively covered

• Process/thread creation, memory allocation– Undocumented Native API

• Occasional communication error with Win32 subsystem– Inadequate monitoring and control

• Solutions– Kernel mode driver– Expanded vulnerabilities and attacks for Layer 2 testing– Control and alerting interfaces

• Enterprise capabilities and productization needed

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Thank You

Questions?

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Backup Slides

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Analytic Update

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Address Space Randomization (ASR)

• Absolute address randomization– Randomize absolute address of an object– Distances between objects may not be randomized

• Relative address randomization– Randomize distances between objects, even those

within the same segment

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Attacks on DAWSON

• Exploit phase– Defeating randomization

• Payload execution phase– Difficulty of successfully executing system

functions needed to carry out the attack– Comes into play if and when DAWSON exploit

protection is defeated

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Probability of Successful Attacks

Pr(A) = Pr(V)/[EE(A) * PEE(A)]• Success probability of attack A exploiting

vulnerability V• EE: “exploit effort”

–Given by range of randomization of addresses involved in A

• PEE: “payload execution effort”–Attempts to successfully execute “attack payload”

• Multiplicative effect –requires rerandomization after every failed attack–does not apply if attack defeats the same randomization in

both layers

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Layer 2 Threat Model

• Injected code has begun execution

• Attack needs to invoke system APIs to deliver its payload

• No direct invocation of system calls– Supposed to be protected by layer 3 (not

implemented for DAWSON)

• Existing code attacks– Still requires breaking layer 1 defense to get to

exploitable code within application

• We estimate PEE(V) for other types of attacks

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Data Attacks

Attack Name Effect 1 Effect 2 Expected attack attempts

[Chen et al] Wu-Ftpd Write using corrupted pointer

Corrupt data value 15 to 30K, can possibly be increased by another 4K to 16K times

[Chen et al] NullHttpd Write using corrupted pointer

Corrupt data value Same as above

[Chen et al] Telnetd Write using corrupted pointer

Corrupt data value Same as above

[Chen et al] GHttpd Write using corrupted pointer

Same as above

[Chen et al] Sshd Corrupt data value Need more details.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

PE(V) for conventional attacks

• Stack-smashing– modify return address to point to injected code on

stack– Range of possible code addresses is 1GB– Can improve success using NOP padding

• With 1KB padding, PE(V) = 10-6

• Heap overflow– Relies on knowing absolute addresses– If target pointer is in static data area,

PE(V) = 1GB/64KB = 15K– This estimate applies to many other attack types:

return-to-libc, format-string,…

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Attacks on DAWSON Randomization

• Exploit weaknesses in randomization– Attacks that can extract “randomization key”

• “information leakage attacks”– Partial overflow attacks

• Overflow only the least significant byte of address– Double pointer attacks

• Rely only on finding a writable address in memory– All require a combination of vulnerabilities

• Low likelihood of finding them

• Derandomization (brute-force) attacks– Analyzed work factor in the next slides.– [Liang et al ’05] approach promises to block these …

• Automatically learn signatures of memory error exploits and discard subsequent instances of them

• Shown to be very effective on recent attacks on Linux

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Exception Handler Protection – The Numbers

• Program address space is ~2Gb

• Assume a program size of ~200 Mb

• Dummy padding with alert functions and fail-crash code size is ~1.8 Gb

• Attacker has a 1 in 500 Million chance of getting the right DLL address; 90% chance of tripping an alarm per try.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Attack DescriptionsVulnerability Attack Name, VulnNum, Port Exploit Target Payload Execution

Stack Buffer Overflow Run_Stackov_absVulnNum 100, Port 9100

Absolute stack address contains return Address, (32 bytes NOP) Inject buffer,

Stack Buffer Overflow Run_Stackov_espVulnNum 110, Port 9110

Overwrite stack return address with jmp ESP in vulnerable DLL, (32 bytes NOP) Inject buffer

Stack Buffer Overflow Run_Stackov_esp_exeVulnNum 111, Port 9111

Overwrite stack return address with jmp ESP in EXE(32 bytes NOP)

Inject buffer

Stack Buffer Overflow Run_Stackov_esp_ntdllVulnNum 112, Port 9112

Overwrite stack return address with Jmp ESP in NTDLL, (32 bytes NOP) Inject buffer

Stack Buffer Overflow Run_Stackov_esp_ws2VulnNum 113, Port 9113

Overwrite stack return address with JMP ESP in ws2_32.dll, (32 bytes NOP) Inject buffer

Stack Buffer Overflow Run_stackov_rtlVulnNum 120, Port 9120

Overwrite stack return address with a local function address(32 bytes NOP)

Return to libc type.

Stack Buffer Overflow Run_stackov_lfpVulnNum 130, Port 9120

Overwrite a local function pointer that called later (32 bytes NOP)

Return to libc type

Integer Overflow Run_integerov1VulnNum 200, Port 9200

Integer overflow data array and overwrite neighbor function pointer Return to libc type

Integer Overflow Run_integerov2VulnNum 210, Port 9210

Integer overflow stack to overwrite exception handler with payload address Return to libc type

Format string andStack Buffer Overflow

Run_stackov_fmrVulnNum 300, Port 9300

Stack buffer overflow return address using format string function sprintf Return to libc type

Heap overflow Run_heapov1VulnNum 400, Port 9400

Heap overflow to overwrite a local function pointer Return to libc type

Heap overflow Run_heapov2_pebVulnNum 410, Port 9410

Heap overflow to overwrite RtlCriticalSection in PEB, cause Call System() to launch an external program

LookAsideList Run_lookaside1VulnNum 420, Port 9420

Heap Lookaside List overflow stack return address with payload function address Return to libc

LookAsideList Run_lookaside2VulnNum 421, Port 9421

Heap Lookaside List overflow stack return Return to libc

CriticalSectionList Run_CSListVulnNum 430, Port 9430

Process Heap Critical Section List Overflow to overwrite a local function pointer Call System() to launch an external program

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Composite Results

with KMDnone dll-only heap-only stack-only iat-only all-but-kmd kmd-only all+kmd"0000" "1000" "0100" "0010' "0001" "1111" "0000"+K "1111"+K

fmrstr1 2 0 2 2 2 0 2 0heapov1 2 0 2 2 2 0 2 0heapov2 2 0 0 0 2 0 0 0heapov3 2 0 0 0 2 0 2 0heapov4 2 0 0 0 2 0 0 0heapov5 2 0 2 2 2 0 2 0integerov1 2 0 2 2 2 0 2 0integerov2 2 0 2 2 2 0 2 0stackov_abs 2 1 0 0 2 0 2 0stackov_esp 2 0 2 0 2 0 0 0stackov_esp_exe 2 0 2 0 2 0 0 0stackov_esp_kernel32 2 2 2 2 2 2 0 0stackov_esp_ntdll 2 2 2 2 2 2 0 0stackov_lfp 2 0 2 2 2 0 2 0stackov_rtl 2 0 2 2 2 0 2 0

Results of lilo VulnSrv2 without kernel driver randomization

Emulab + Red Team Demo System Composite

without Kernel Mode Driver (KMD)

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

DAWSON Testing Notes

December 1, 2005

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Manual Tests3 Node Red Team

Testbed

Trials Infected Blocked %Blocked Trials Infected Blocked %Blocked100 stackov_abs 65 65 0 0% 294 0 294 100%110 stackov_esp 65 65 0 0% 294 14 280 95%111 stackov_esp_exe 65 65 0 0% 294 0 294 100%112 stackov_esp_ntdll 65 65 0 0% 294 0 294 100%113 stackov_esp_kernel32 65 65 0 0% 294 0 250 85%120 stackov_rtl 65 65 0 0% 294 15 279 95%130 stackov_lfp 65 65 0 0% 293 15 234 80%200 integerov1 65 65 0 0% 293 15 278 95%210 integerov2 65 65 0 0% 293 15 278 95%300 fmrstr1 65 65 0 0% 293 15 278 95%400 heapov1 65 65 0 0% 293 15 278 95%410 heapov2 65 65 0 0% 293 0 293 100%420 heapov3 65 65 0 0% 294 0 294 100%421 heapov4 65 65 0 0% 293 0 293 100%430 heapov5 65 65 0 0% 293 15 278 95%

without Kernel Mode Driver (KMD) lilo with Kernel Mode Driver (KMD)

none ("0000") all ("1111")

Composite result of

44 manual and 250 semi-automated test runs on fully randomized system.

65 manual runs on unprotected baseline system

Test run is 15 attacks, one against 15 new process instances

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Testing: Scale

Small Scale Tests Large Scale TestsMethod: Relatively more manual Method: Much more Automated

Scale: Fewer test cases (tens to hundreds) smaller networks (2 or 3 nodes).

Scale: Many more trials (thousands to millions) larger networks (10’s to 100’s)

Observation: Close – More state available for analysis (can stop and drill down into images at run time – dynamic debugger)

Observation: – Limited. Less state available – can only inspect what was logged. Logs massive but limited

Advantage: ability to stop and analyze causes of unanticipated events, much state data retained and available

Advantage: finds effects and problems that occur at larger scales or over longer periods of time.

Disadvantage: miss phenomena that occur at scale.

Disadvantage: limited to data from log records – less complete picture of system state.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Testing

• Testing in the small– Fewer test cases, but closer observation– Much system state available – can stop and run debugger to observe

even closer.– When interesting phenomena occur can stop and drill down into

system state with debuggers, etc.

• Testing in the large– Flexible network based testing on Emulab– Test defenses on larger networks up to 100 nodes.– Automate a suite of tests– Provide feedback to developers– Provide examples on networks of non-trivial size.– Observe phenomena scale

• Test on larger networks of up to 100 hosts• Use parallelism for more test cases over time

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution What is Emulab

Project at Univ of UTAH (Jay Lepreau)

Shared network testbed of over 300 hosts

Dynamically imaged and configured for each experiment

Web-interface to remote users

Common resource for researchers

Progenitor of numerous other testbeds

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution What we have done

• Automated Installation & Configuration of Emulab Images for DAWSON

• Packaged a corpus of attacks in Metasploit• Added instrumentation to detect marker file dropped

by attacker• Automate attacks on variety of defense configurations

to probe effectiveness of individual randomizations.• Sample test runs:

– 15 attacks x 6 defensive configurations = 90 trials– Target population of 10 nodes

• Empirical validation of expectations

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Examples

• DAWSON Wiki – Main Page

• Overview

• Recent script generated results

• Quick Demo– RDT

• Show log files

• Show summary chart

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Red Team Meeting

• Notes on Nov 7 Meeting with Red Team– Attack Ideas

• Does vulnSrv2 have way to send data out a port?– Potentially speed up probing

• Trigger reversion to old DLLs

• Restore original DLLs & convince system these are already randomized

• Some critical data structures not randomized

• Direct system calls – interrupts/svc’s

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Baseline Effectiviness

sta

ckov_abs

sta

ckov_esp

sta

ckov_esp_exe

sta

ckov_esp_ntd

ll

sta

ckov_esp_kern

el3

2

sta

ckov_rtl

sta

ckov_lfp

inte

gero

v1

inte

gero

v2

fmrs

tr1

heapov1

heapov2

heapov3

heapov4

heapov5

100%100%100%100%100%100%100%100%100% 100% 100%

100% 100%100%

100%

0% 5%0%

0% 0% 5% 6%5%

5%5%

5%

0%0%

0% 5%

0%0% 1%

0%0%

0% 0%0%

0% 6%

1%0%

0%0%

0%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Catalyst Experiment Monitor

December 6, 2005KMD+1111+ConflResolv1201Called at approx 2:23 pm

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Abstract View of Attacks

S

Pg“good” statesNot compromised.

Programs acting on“good” inputs.

G

E

Pe“evil” statesAttacker compromisedsystem

Program acting on“evil” inputs.

“evil” statesAttacker succeeds

Pg in good statesstay in good states.Represents desired behavior.s

wp(Pg,G)<=G

Pe describes flaws where certain inputs allow compromise

G<=wp(Pe,E)

Characterize successful attacks as program inputs e that transition from good states to evil states.

Until we create more nearly perfect programs, flaws in realization of P will continue to exhibit Pe cases

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Idealized Effect of Randomizing Transformations

S

Pg

G

E

Pe

S’

Pg

G’

E’

Pf

Randomizing Transform

After the Transformation:Nearly all good inputs in good states still work: wp(Pg,G’)<=G’Previously successful attacks no longer work: wp(Pe,G’)<=G’

PePfVulnerability to e randomlyremapped to an unknown f

f-attack analogs to old e-attack, where wp(Pf,G’)<=E will appear, but • f is hard to find for a specific host• f’s are diverse over the host population

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Attack String Construction: Phase I

Offset sprintf destination to the return address on stack

Address to write 1st byte of JMP ESP instr

Padding

Address to write 2nd byte of JMP ESP instr

Short NOP sled

jmp esp

Format string escapes to writethe $writeAddr into the return address.

add esp,7fh (3 times)add esp, 5fh

Point ESP toa cleancopy of attackString and jmp into it

Entry point of our JMP ESPFixes up ESP register to prior value

Falls through into Metasploit shell code for DLL injection.

my $evil = pack ('V', "$writeAddr"); $evil .= "\x41\x41\x41\x41"; $evil .= pack ('V',$writeAddr+1); $evil .= "%496c"; $evil .= pack ('V',$writeAddr); $evil .= "\x90\x90\x90\x90”

“\x83\xc4\x7f”“\x83\xc4\x7f”“\x83\xc4\x7f”“\x83\xc4\x5f”“\xff\xe4”“%229c%hn%229c%hn”“\x83\xec\x7f”“\x83\xec\x7f”“\x83\xec\x7f”“\x83\xec\x5f";

$evil .= $shellcode;

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution An Alternative Attack: Phase I

return

void formatStrAttack(char *sbuffer, int nSize) { char buf[512]; char bufmain[512]; sprintf(buf, “String : %s”,sBuffer); // (1) sprintf(bufmain,buf); // (2)} // (4)

char[512]buff

DWORD WINAPI FormatStrThread(LPVOID lparameter { char safebuf[4096]; nRet=recv(peersock,safeBuf,sizeof(safeBuf),0); formatStrAttack(safeBuf,nRet);}

char[4096]safeBuf

form

atS

trA

ttac

k

MDVULN.dll – vulnerable service code

1) First Sprintf overflows buffer putting a “magic” address MA into the return address slot.

2) Second sprintf interprets the format string poking a JMP ESP instruction into memory at the “magic” address

3) ESP is manipulated to point to start of shell code inside the stack frame.

4) Normal return now branches to MA where it executes the JMP ESP

form

atS

trT

hrea

d

MA

A writeable/executable page in memory

0x7ffdxxxx

JMP ESP

Old ESP

char[512]bufmain

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

DAWSONDLL Rebase Design

Considerations

• DAWSON DLL Rebase – Benefits vs Costs– Functionality vs Flexibility

• DLL Base randomization– Rebase and Share– Rebase on Demand– Rebase on Request

• Local Configuration

• Interface with Blackboard

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

PEB/SEH Protection: Exception Handlers

• Monitoring for exceptions are done– From another process

• Using Win32 DEBUG API

– within the same process• Using Vectored Exception Handling

• Monitor needs to receive exception events before the attacker

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution

Four ways to monitor exceptions

Load Time Runtime

Monitoring Process

CreateProcess(…,

DEBUG_PROCESS,…)

DebugActiveProcess(process_id

)

DLL injection Import table modification &AddVectoredException

Handler(…)

CreateRemote

Thread(…) &AddVectoredException

Handler(…)

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Red Team Exploit Analysis

1. Phase I of the attack is insensitive to DLL positions or stack locations. (see 6 & 7)• It only needs a location to which it can write a JMP ESP instruction.• It typically finds such a location inside a page where the PEB (Process

Environment Block) resides by default.• Though marked READ_ONLY in SP1 an exception handler in the kernel

implements Copy-on-write semantics for the first write to this page.• The fixed address 0xffdc082 is near the PEB but not inside of it. Writing

to it does not typically corrupt the PEB/TEB structures.

2. In later testing, it appears that the Red Team attack either always succeeds or always fails for a particular boot.• Even in the failures, Phase I of the attack appears to work, i.e. the DLL

injection callback gains control and does execute.• Attack fails by not successfully writing a marker file on the target host.

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Vulnerable Server

• VulnSrv2.exe:– A program run as a command line console

application.– VulnSrv2 loads MdVuln2.dll and listen to the

specified port for certain vulnerability. • Each vulnerability on a different port

– Uses multi-threaded server architecture• One thread for each vulnerability

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Small Scale Tests

Tria

ls

Infe

cted

Blo

cked

%B

lock

ed

%U

nblo

cked

Tria

ls

Infe

cted

Blo

cked

%B

lock

ed

%U

nblo

cked

Tria

ls

Infe

cted

Blo

cked

%B

lock

ed

%U

nblo

cked

100 stackov_abs 65 65 0 0% 100% 294 0 294 100% 0% 355 0 355 100% 0%110 stackov_esp 65 65 0 0% 100% 294 14 280 95% 5% 355 0 355 100% 0%111 stackov_esp_exe 65 65 0 0% 100% 294 0 294 100% 0% 355 5 350 99% 1%112 stackov_esp_ntdll 65 65 0 0% 100% 294 0 294 100% 0% 356 0 356 100% 0%113 stackov_esp_kernel32 65 65 0 0% 100% 250 0 250 100% 0% 356 0 356 100% 0%120 stackov_rtl 65 65 0 0% 100% 294 15 279 95% 5% 356 0 356 100% 0%130 stackov_lfp 65 65 0 0% 100% 249 15 234 94% 6% 356 0 356 100% 0%200 integerov1 65 65 0 0% 100% 293 15 278 95% 5% 356 0 356 100% 0%210 integerov2 65 65 0 0% 100% 293 15 278 95% 5% 356 0 356 100% 0%300 fmrstr1 65 65 0 0% 100% 293 15 278 95% 5% 356 23 333 94% 6%400 heapov1 65 65 0 0% 100% 293 15 278 95% 5% 356 2 354 99% 1%410 heapov2 65 65 0 0% 100% 293 0 293 100% 0% 356 0 356 100% 0%420 heapov3 65 65 0 0% 100% 294 0 294 100% 0% 355 0 355 100% 0%421 heapov4 65 65 0 0% 100% 293 0 293 100% 0% 355 0 355 100% 0%430 heapov5 65 65 0 0% 100% 293 15 278 95% 5% 355 0 355 100% 0%

lilo w/KMD

no randomization all BEFORE ConfResolv1201 all AFTER ConflResolv1201

w/o KMD lilo w/ KMD

Corpus of15 baselineAttacks(Metasploit)

No Randomization

65 trials

AllRandomizations11/15 Release(Red Team)

294 trials

AllRandomizations12/01 Release

355 trials

#Trials#Infected#Blocked%Blocked%Unblocked

OS

De

pth

Attack Depth

Defense Techniques

USER.EXE

USER.DLL

SYSTEM.DLL

SYSTEM.SYS

Exploit Payload



Rebase DLL

Randomize Code

Location

Non-Bypassability

Address Resolution Further Development• Expects

– Fixed PEB/TEB base location– Exception handler location– Initial process heap/CRT heap base randomization– Some things not exhaustively covered

• Process/thread creation, memory allocation– Undocumented Native API

• Occasional communication error with Win32 subsystem– Remote monitoring and management

• Solutions– Kernel mode driver– Expanded vulnerabilities and attacks for Layer 2 testing– Control and alerting interfaces

• Enterprise version capabilities (Army CECOM?)

diversity algorithms for worrisome software and networks (dawson)

Documents

injected code

heap range

bypass of layer

gbbase address of dlls

kbase of executable

stack framesin

kernelmode driver

heap blocksachieved