All problems of design are solved by All problems of design are solved by
the addition of a layer of indirection.the addition of a layer of indirection.
All problems of efficiency are solved All problems of efficiency are solved byby
the removal of a layer of indirection.the removal of a layer of indirection.
A Linguistic A Linguistic Platform for Threat Platform for Threat
Development Development Ben KurtzBen Kurtz
Imperfect NetworksImperfect Networks
IntroductionIntroduction
By applying programming language By applying programming language theory to the development of new theory to the development of new networks attacks, we can create networks attacks, we can create next-generation platforms capable of next-generation platforms capable of quickly handling arbitrary protocols quickly handling arbitrary protocols and hardware, and exponentially and hardware, and exponentially reducing threat development time.reducing threat development time.
OverviewOverview
MotivationMotivation Threat TestingThreat Testing Goals of a new systemGoals of a new system Applications of Programming Applications of Programming
Language TheoryLanguage Theory
MotivationMotivation
We want to break stuff!We want to break stuff! EasierEasier FasterFaster BetterBetter
Minimize threat development Minimize threat development turnaround timeturnaround time
Motivation (cont.)Motivation (cont.)
Why do we want to break stuff?Why do we want to break stuff? Network Equipment/Service TestingNetwork Equipment/Service Testing MaliceMalice
IDS systems eventually have to be IDS systems eventually have to be tested…tested…
And they must be tested with REAL And they must be tested with REAL threats!threats!
Motivation (cont.)Motivation (cont.)
You can’t have 0-day protection You can’t have 0-day protection
without 0-day testing!without 0-day testing!
This requires same-day threat testing.This requires same-day threat testing.
Window of VulnerabilityWindow of Vulnerability
If it takes two weeks to complete the If it takes two weeks to complete the cycle,cycle,
Your Window of Vulnerability is two Your Window of Vulnerability is two weeks!weeks!
Options for ImprovementOptions for Improvement
Option 1Option 1 Hire more peopleHire more people Work in parallelWork in parallel Still limited by Still limited by
current time-current time-consuming toolsconsuming tools
Window of Window of Vulnerability Vulnerability remains the sameremains the same
Option 2Option 2 Automate the Automate the
common, repetitive common, repetitive tasks associated tasks associated with threat with threat development.development.
Better toolsBetter tools Only deal with the Only deal with the
unique aspects of a unique aspects of a threat.threat.
So…So…
Hiring more people would be great!Hiring more people would be great!
But it’s not going to happen.But it’s not going to happen.
We need better tools.We need better tools.
Threat PlatformsThreat Platforms
We have some threat platforms We have some threat platforms available to us already…available to us already… Metasploit / CanvasMetasploit / Canvas NessusNessus … … PerlPerl
VersatilityVersatility Speed of DevelopmentSpeed of Development Real, Live ThreatsReal, Live Threats
Design GoalsDesign Goals
One tool to generate all possible One tool to generate all possible threatsthreats
Platform/Target independencePlatform/Target independence PCAP importPCAP import Multi-source traffic playbackMulti-source traffic playback Simulation and TestingSimulation and Testing Unified platform means unified Unified platform means unified
reportingreporting
Programming Language Programming Language TheoryTheory
GrammarsGrammars Rules that describe a languageRules that describe a language Serve dual purposes:Serve dual purposes:
Generation – to make valid expressionsGeneration – to make valid expressions Validation – to determine validity of an Validation – to determine validity of an
expressionexpression
Extended Backus-Naur Form (EBNF)Extended Backus-Naur Form (EBNF)
CompilersCompilers
Translates one language to anotherTranslates one language to another Stages of compilationStages of compilation
Lex – syntaxLex – syntax Parse – semanticsParse – semantics Intermediate RepresentationIntermediate Representation Code GenerationCode Generation
Can use well-documented methods Can use well-documented methods and algorithms.and algorithms.
Parser GeneratorsParser Generators
Also called Compiler CompilersAlso called Compiler Compilers Often overlooked, but powerfulOften overlooked, but powerful PG’s are compilers that can PG’s are compilers that can
dynamically redefine the input and dynamically redefine the input and output grammarsoutput grammars
EBNF specification of input or output EBNF specification of input or output grammarsgrammars
Good at handling many different Good at handling many different languageslanguages
SoupSoup
ARP, BGP, CDP, DHCP, DNS, Ethernet, GRE,ARP, BGP, CDP, DHCP, DNS, Ethernet, GRE,
HSRP, HTTP, ICMP, 802.3, 802.11, IGMP, HSRP, HTTP, ICMP, 802.3, 802.11, IGMP, IPv4, IPv4,
IPv6, ISAKMP, L2F, LWAPP, NTP, OSPF, PIM, IPv6, ISAKMP, L2F, LWAPP, NTP, OSPF, PIM,
RADIUS, RIP, RTCP, SLP, SMTP, SNAP, ST2, RADIUS, RIP, RTCP, SLP, SMTP, SNAP, ST2,
STP, TACACS, TCP, TFTP, UDP, VAT, VLANSTP, TACACS, TCP, TFTP, UDP, VAT, VLAN
And countless others…And countless others…
The Big IdeaThe Big Idea
Network Protocols are Network Protocols are Languages!Languages!
(And Normal Languages at that!)(And Normal Languages at that!)
Protocol SpecificationProtocol Specification
Each protocol is an ordered list of fields.Each protocol is an ordered list of fields. Protocols that allow encapsulated Protocols that allow encapsulated
protocols have a Payload, a special field protocols have a Payload, a special field akin to a non-terminal.akin to a non-terminal.
The Payload will point to the grammar The Payload will point to the grammar of the encapsulated protocolof the encapsulated protocol
The innermost Payload can contain The innermost Payload can contain arbitrary binary information, such as arbitrary binary information, such as shellcode shellcode
Ethernet ExampleEthernet Example
Start -> ETHStart -> ETH ETH -> srcMAC destMAC pktType ETH -> srcMAC destMAC pktType
PayloadPayload srcMAC -> (regex for a MAC Address)srcMAC -> (regex for a MAC Address) destMAC -> (regex for a MACAddress)destMAC -> (regex for a MACAddress) pktType -> (regex for 2 Bytes of Hex)pktType -> (regex for 2 Bytes of Hex) Payload -> (unbound non-terminal)Payload -> (unbound non-terminal)
Putting it TogetherPutting it TogetherEthernet+srcMAC+destMAC+pktType+Payload IP
+Version+HeaderLen+TOS+Protocol+...+Payload TCP
+srcPort+destPort+SeqNum+...+Payload
Dynamic ProtocolsDynamic Protocols
I lied. Not all protocols are just a list I lied. Not all protocols are just a list of fields.of fields.
Some have different structures Some have different structures based on the value of a ‘Type’ fieldbased on the value of a ‘Type’ field
Examples: ICMP, OSPF, DHCPExamples: ICMP, OSPF, DHCP These dynamic protocols can be These dynamic protocols can be
handled by splitting up the handled by splitting up the definitionsdefinitions
Ethernet+srcMAC+destMAC+pktType+Payload IP
+Version+HeaderLen+TOS+Protocol+...+Payload OSPF_Header
+Version+Type+PktLen+...+Payload OSPF_Hello
+NetMask+Interval+Options+...
Dynamic GUIDynamic GUI
We need the GUI to provide:We need the GUI to provide: The ability to create stacks of protocolsThe ability to create stacks of protocols The ability to create series of stacksThe ability to create series of stacks The ability to assign things to fieldsThe ability to assign things to fields
Types of things for fields:Types of things for fields: FunctionsFunctions VariablesVariables ValuesValues
Some Useful FunctionsSome Useful Functions
RangeRange RandomRandom Random StringRandom String Homogenous String of Length XHomogenous String of Length X ConcatenationConcatenation ChecksumsChecksums
Threat DescriptionThreat Description
Behavior of ThreatsBehavior of Threats MetadataMetadata Named VariablesNamed Variables FunctionsFunctions ListsLists
Binding and PlaybackBinding and Playback
Pre-compilation of Pre-compilation of Threats (Threat Threats (Threat Binding)Binding)
Distributed designDistributed design Multi-Source Multi-Source
Traffic PlaybackTraffic Playback
Importing from PCAPImporting from PCAP
Grammar-based PCAP Grammar-based PCAP decompositiondecomposition
Translating using Protocol Translating using Protocol DefinitionsDefinitions
Multi-sourced PCAP filesMulti-sourced PCAP files Edit your imported PCAP for Edit your imported PCAP for
playbackplayback
ConclusionConclusion
Threat Development and Delivery Threat Development and Delivery Platforms based on Parser Platforms based on Parser Generators have several advantages:Generators have several advantages: Speed of DevelopmentSpeed of Development Live TestingLive Testing PCAP Import and PlaybackPCAP Import and Playback Platform and Protocol IndependencePlatform and Protocol Independence
Q & AQ & A
At this time, I’d like At this time, I’d like
to open the floor up for to open the floor up for
questions.questions.