Exploiting the Hard-Working DWARF: Trojans with no Native Executable Code

All binaries compiled by recent versions of GCC from C++ programs include complex data and dedicated code for exception handling support. The data structures describe the call stack frame layout in the DWARF format bytecode. The dedicated code includes an interpreter of this bytecode and logic to implement the call stack unwinding. Despite being present in a large class of programs -- and therefore potentially providing a huge attack surface -- this mechanism is not widely known or studied. Of particular interest to us is that the exception handling mechanism provides the means for fundamentally altering the flow of a program. DWARF is designed specifically for calculating call frame addresses and register values. DWARF expressions are Turing-complete and may calculate register values based on any readable data in the address space of the process. The exception handling data is in effect an embedded program residing within every C++ process. This talk explores what can be accomplished with control of the exception handling information without modifying the program\u27s text or data. We also examine the exception handling mechanism and argue that it is rife for vulnerability finding, not least because the error states of a program are often those least well tested

LZfuzz: a fast compression-based fuzzer for poorly documented protocols

Real-world infrastructure offers many scenarios where protocols (and other details) are not released due to being considered too sensitive or for other reasons. This situation makes it hard to apply fuzzing techniques to test their security and reliability, since their full documentation is only available to their developers, and domain developer expertise does not necessarily intersect with fuzz-testing expertise (nor deployment responsibility). State-of-the-art fuzzing techniques, however, work best when protocol specifications are available. Still, operators whose networks include equipment communicating via proprietary protocols should be able to reap the benefits of fuzz-testing them. In particular, administrators should be able to test proprietary protocols in the absence of end-to-end application-level encryption to understand whether they can withstand injection of bad traffic, and thus be able to plan adequate network protection measures. Such protocols can be observed in action prior to fuzzing, and packet captures can be used to learn enough about the structure of the protocol to make fuzzing more efficient. Various machine learning approaches, e.g. bioinformatics methods, have been proposed for learning models of the targeted protocols. The problem with most of these approaches to date is that, although sometimes quite successful, they are very computationally heavy and thus are hardly practical for application by network administrators and equipment owners who cannot easily dedicate a compute cluster to such tasks. We propose a simple method that, despite its roughness, allowed us to learn facts useful for fuzzing from protocol traces at much smaller CPU and time costs. Our fuzzing approach proved itself empirically in testing actual proprietary SCADA protocols in an isolated control network test environment, and was also successful in triggering flaws in implementations of several popular commodity Internet protocols. Our fuzzer, LZfuzz (pronounced ``lazy-fuzz\u27\u27) relies on a variant of Lempel--Ziv compression algorithm to guess boundaries between the structural units of the protocol, and builds on the well-known free software GPF fuzzer

Tools and algorithms to advance interactive intrusion analysis via Machine Learning and Information Retrieval

We consider typical tasks that arise in the intrusion analysis of log data from the perspectives of Machine Learning and Information Retrieval, and we study a number of data organization and interactive learning techniques to improve the analyst\u27s efficiency. In doing so, we attempt to translate intrusion analysis problems into the language of the abovementioned disciplines and to offer metrics to evaluate the effect of proposed techniques. The Kerf toolkit contains prototype implementations of these techniques, as well as data transformation tools that help bridge the gap between the real world log data formats and the ML and IR data models. We also describe the log representation approach that Kerf prototype tools are based on. In particular, we describe the connection between decision trees, automatic classification algorithms and log analysis techniques implemented in Kerf

Dumbots: Unexpected Botnets through Networked Embedded Devices

Currently, work on botnets focuses primarily on PCs. However, as lightweight computing devices with embedded operating systems become more ubiquitous, they present a new and very disturbing target for botnet developers. In this paper, we present both an empirical demonstration on a widely deployed multimedia box, as well as an evaluation of the deeper potential of these dumbots

Pastures: Towards usable security policy engineering

Whether a particular computing installation meets its security goals depends on whether the administrators can create a policy that expresses these goals—security in practice requires effective policy engineering. We have found that the reigning SELinux model fares poorly in this regard, partly because typical isolation goals are not directly stated but instead are properties derivable from the type definitions by complicated analysis tools. Instead, we are experimenting with a security-policy approach based on copy-on-write “pastures”, in which the sharing of resources between pastures is the fundamental security policy primitive. We argue that it has a number of properties that are better from the usability point of view. We implemented this approach as a patch for the 2.6 Linux kernel.

Kerf: Machine Learning to Aid Intrusion Analysts

Kerf is a toolkit for post-hoc intrusion analysis of available system logs and some types of network logs. It takes the view that this process is inherently interactive and iterative: the human analyst browses the log data for apparent anomalies, and tests and revises his hypothesis of what happened. The hypothesis is alternately refined, as information that partially confirms the hypothesis is discovered, and expanded, as the analyst tries new avenues that broaden the investigation

PhasorSec: Protocol Security Filters for Wide Area Measurement Systems

The addition of synchrophasors to the power grid to improve observability comes at the cost of an increased attack surface: the wide area measurement system. A common source of zero-days, that can be used to exploit the system, is improper input validation. The strict availability and timing requirements of the grid make it critical that input validation be done right and in a timely fashion. PhasorSec is a hardened security filter for the synchrophasor communication protocol, C37.118. PhasorSec is built using language theoretic principles which treat all input as a language with a specific grammar that defines what input must be accepted. An open-source version of the prototype is provided and evaluation in terms of CPU-time show that it is possible to meet the strict latency requirements. Experiments also demonstrate its effectiveness against the state-of-the-art AFL fuzzer

Fingerprinting IEEE 802.15.4 Devices with Commodity Radios

We present a reliable method of PHY-layer fingerprinting of IEEE 802.15.4-conformant nodes with commodity digital radio chips widely used in building inexpensive IEEE 802.15.4-conformant devices. Typically, PHY-layer fingerprinting requires software-defined radios that cost orders of magnitude more than the chips they can fingerprint; our method does not require a software-defined radio and uses the same inexpensive chips. For mission-critical systems relying on 802.15.4 devices, defense-in-depth is thus necessary. Device fingerprinting has long been an important defensive tool; reducing its cost raises its utility for defenders. We investigate new methods of fingerprinting 802.15.4 devices by exploring techniques to differentiate between multiple 802.15.4-conformant radio-hardware manufactures and firmware distributions, and point out the implications of these results for WIDS, both with respect to WIDS evasion techniques and countering such evasion