how twiggy saved sparky

21
How Twiggy Saved Sparky Joseph Calandrino Matt Spear Malware Seminar – Fall 2004

Upload: kedem

Post on 15-Jan-2016

34 views

Category:

Documents


2 download

DESCRIPTION

How Twiggy Saved Sparky. Joseph Calandrino Matt Spear Malware Seminar – Fall 2004. Meet Twiggy. Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data. http://goatload.com/mt/. Meet Robbie. - PowerPoint PPT Presentation

TRANSCRIPT

How Twiggy Saved Sparky

Joseph Calandrino

Matt Spear

Malware Seminar – Fall 2004

Meet Twiggy

http://goatload.com/mt/

Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data.

Meet Robbie

http://www.mumi.org/metissages/fr/artificiel/artificiel.htmlhttp://www.dachshundalley.com/

walkAnimal(name)

Robbie’s Setup

petAnimal(name)

doAction(action, name)

feedAnimal(name)

call

Evil Is Afoot

http://www.austinpowers.com/http://www.rit.edu/~sli4356/

If only I could modify the action for doAction…

More on Robbie

petAnimal(name)

P E T

doAction(action, name)

name action

Disclaimer: This is simplified

Evil Is Afoot

petAnimal(“SPARKYEA”)…Sparky is mine!!!

More on Robbie

petAnimal(name)

S P A R K Y E A T

name action

doAction(action, name)

Sparky Senses Danger

petAnimal(name)

S P A R K Y

name action

doAction(action, name)

P E T

http://www.svet-je-lep.com/gallery/slike/Twiggy/Zanimiv_morfing.jpg

The Dreaded Double Pointer

S P A R K Y

name action

P E T

http://www.austinpowers.com/

Evil Will Not Be Deterred

S P A R K Y

name action

E A T

Turn on the Twiggy-Signal

http://www.erva.com/pics/ProductIdeal/SQUIRREL%201.jpg

Twiggy to the Rescue

http://kevintdriver.hopto.org/images/squirrel.ski.jpg

P E T

name action

action 3 hash(PET)addr len hash

name - Hash(…)Also stores data for name:

Modify Robbie’s code tomaintain hashes of all buffers:

Secret key = 32589Robbie needs to store this somewhere inaccessible to Dr. Evil…

Without Spoiling Your Day

But Twiggy is a busy squirrel, so he enlists the aid of a source-to-source transformer.

http://www.lemta.com/boatshows/midamerica/twiggy-history.shtml

Stop That Modification!

petAnimal(name)

doAction(action, name)

S P A R K Y E A T

action 3 hash(PET)

if(hash(_) != _) exit

Check it before use:

Dr. Evil Is Foiled

http://www.cotbn.com/2002_12_01_archive.html

Dr. Evil can’t effectively modify buffers without altering entries in the table… which are hashed using a secret key.

But At What Cost?

Hashes and checks can be computationally expensive

Can Robbie feed Twiggy and Sparky on time?

http://www.pets.info.vic.gov.au/02/sdd_dlang.htmhttp://www.nd.edu/~tdavidso/Mexico.htm

The StatisticsRobbie Runtime

148000

172000

0

20000

40000

60000

80000

100000

120000

140000

160000

180000

200000

Unmodified Modified

Program (Robbie's Control System)

Cycle

co

un

t (T

ime t

o F

eed

Tw

igg

y a

nd

Sp

ark

y)

Reduce the Cost

Do we need to check all buffers?

What about only checking buffers used as inputs to dangerous

methods?

(That’s all the buffers in our example, but likely far fewer than in

the program)

Can Twiggy use call-graph analysis to find those buffers?

Did It Work?

• Basic defense method protects buffers from modification.

• Aliasing ignored.

• Can we track down critical buffer values?

• We’re still working on that.

• But, for Twiggy, yes (this is supposed to be a happy story)

Happily Ever After

By maintaining hashes of critical buffer values and verifying them before dangerous function calls, Twiggy efficiently prevents malicious modifications and moves on to

new adventures.

http://greywolf.critter.net/gallery/ironclawgallery-icsu04.htm