Instruction Subsets Instruction Subsets in in

Software DiversitySoftware Diversity

Instruction Subsets Instruction Subsets in in

Software DiversitySoftware Diversity

Malware ProjectMalware ProjectNguyet NguyenNguyet NguyenNov. 30Nov. 30thth 2004 2004

Motivation: Visit the company

Computer

•CPU is the main worker of the company Computer

•CPU joins a set of parts called Insts into robots called Softs

•Softs work at the Computer office•Computer stores some gold boxes in the office•Insts are delivered by DevelopersGold boxes have some holes on it The office door is opened

Computer’s Office

InstInst

InstInst

Software

CPU

Gold boxes

Motivation: meet Evil• Mr Evil knows how CPU works• Mr Evil knows the holes of gold

boxes•Evil creates a new array of Insts that CPU will assemble them in to a new kinds of Robots called Worms

•Worms can steal gold via the holes

Problems occurIn Computer Office

InstInst

InstInst

CPU

Gold boxes

SoftwareWorms

Bigger Problem: All companies

Current Solutions• Using a Gatekeeper before CPU• Dye the Insts with dying solution

Key• Gatekeeper applies rev-Key to

dyed InstsRandomizing

Instruction DIALECTS

Illustrator

InstInst

Inst

Inst

Inst

Hu hu, I cannot do anything

Is it good?• Portable? No• Performance? reduce• Security?

– Rely on the enforcement environment

– Key can be guessed

Subset

InstInst

Inst

Hu hu, I cannot do anything

Is Instruction Subset better?

• Portable• Performance: Hardware

Gatekeeper• Security:

– work without the enforcement environment

– Difference size of versions

Groups of Instructions• Divide the Instruction Set in to

Groups:– Group of unique instructions (UI)– Groups of equivalent instructions (EIs)

• New IS = UI + new EI– EI’s members are selected from each

of old EIs

Unique Instructions• Call• Int/Ret• Convert Instructions: Cbw, Cdq• Set/Clear Interrupt Flag: CLI, SLI• Ascii and Decimal Adjust: Aaa,

Aad• ESC, Halt• Lea• Lock• Nop• Push/Pop, PushF/PopF• Wait/FWait• In/Out

Groups of EIs• Load instructions: lds, lodsb, lodsw• Store instructions: sodsb, sodw• Branch instructions: jump, loop, repeat

35+5+5=45 insts• Move instructions: Mov, Movs, Movsx,

Movsz• Add/Sub: Add, Inc, Dec, Sub• Mul/Div: imul, mul, idiv, div• Test: ;• Interchange: Cmp and Change• Flags set: • Logical Operation: and, or, xor, not (4 insts)

Transformation• Some transformation is easy, others are

not• Transformation complexity depends

from other groupsEx:

• dec and sub• Jmp

Mov ax,0Je ax;

Instruction selecting in EI sets

• Insts with transformation complexity are statically omitted or allowed (50% of allowing)

• Inc, dec, mov, jmp

• Pick randomly 1 of remaining instructions

Does it work? • 3 questions:

– Is it possible for a worm to use only UI to complete its work?

– How many diverse subsets we have?– How long should a worm be to ensure

an acceptable rate of protection?

Question 1: UI is enough?

• NO• Why?

– A worm should use a Jump – A worm should use a load

• Verification?– CodeRed– Shapphire– Nimda– Unix worms: ADM Worm v1

Question 2: How diverse this approach

is?• The number of difference version we

have is:2number_of_static_instx number_of_EI1x…

• Depends on the number of EIs that we apply selecting process and how many instruction that we pick up in a set

Question 3: Performance?

• Not depends on how long a worm is

• It is how many different instruction a worm uses

• Using only opcode limits opportunities of subset diversity

Example: Sapphire• push• mov• xor• loop• lea• call• cmp• jz• or• shl• jmp

UI: push, call, lea

OI:

•Logical Operation: or,xor, cmp, shl

•Branch Operation: loop, jz, jmp

•Move Operation: movPERFOMANCE:

P(all insts pass)=2(3/4)(2/3)(1/45)(1/45)(1/2)

=10-4

Anything wrong?

How to enhance Diversity?• Determine how many instructions

needed to complete a worm? • Enhance diversity of UI by adding

addressing mode/operant mode• Complicated? Yes• How to reduce costs: apply with only

“important instructions”

High Level Hypothesis about worms

• Every worm needs to use a call• Every worm needs to use a push• Every worm needs communication instructions?• Every worm needs a load or a store• Every worm needs at least one of arithmetic

instructions

What are we need?

Push and Call• Push: 6 Operant Modes• Call: 30 Operant Modes

• 6 near• 8 far• 4 task• 12 gate

Example: Sapphire (II)• Callcall eaxcall dword ptr [esi]

• Push:push 42B0C9DCh

push eax

call esi

PERFOMANCE:

P(all call/push passed)=(1/6)(1/8)(1/6)(1/6)(1/6)

Issues? • Instruction Guessing?

– Worms may not be fast enough– People can try to guess from simple

to complicated instruction

• Hypothesis proof– Disassembled code– Static Analysis

ConclusionsNothing is perfectMore solutions of diversity better

diversity

Thank you