Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Part I PS 3 discussion of SPINS paper CS 588 February 22, 2005

advertisement 
Part I
PS 3 discussion of SPINS paper
CS 588
February 22, 2005
nate@cs.virginia.edu
1
Scenario
High-power base station
Thousands of small, low-powered devices with
sensors and actuators, communicating wirelessly
2
Message Authentication Code
(MAC)
• Essentially a one-way hash function with a
key, k
• Used for message integrity and
authentication
– If m is altered to m’ then MAC(m) ≠ MAC(m’)
– Only those that know k can create correct MAC
3
Cryptographic Hash Chains
f is a one-way function: easy to calculate f(x), but difficult to invert f.
Kj = f (Kj+1)
f
K1 = f (f (f (x)))
f
K2 = f (f (x))
f
x
K3 = f (x)
time
Initially store: K0 = f4(x)
K1 = f3(x)
verify f (K1) = f(f3(x)) = K0
K2 = f2(x)
verify f 2(K2) = f2(f2(x)) = K0
4
µTesla [Perrig, et. al., 2002]
• Initially: sensor nodes know K0 = fn(x)
base station knows x
• Base station messages encrypted using K1 = fn-1(x)
• Nodes store and time stamp messages, but cannot
decrypt them (yet)
• At time t1, base station broadcasts K1
• Nodes verify f (K1) = K0
• Nodes use K1 to decrypt earlier messages
• Nodes and base station must have loosely
synchronized clocks: cannot accept messages
5
encrypted with K1 after K1 was revealed
Part II
Viruses and Cryptography
Principles and Practise of X-RAYING
F. Perriot, P. Ferrie
Virus Bulletin, Sept. 2004
6
Lessons to Learn
• Simple methods of encryption are
prevalent
• Viruses provide good applications of
things you have seen in this class so far
• Another security trade-off
– Resources in sensornets
– Speed in virus scanning
7
Introduction
• Cohen’s
definition of a
virus
– A program that is
able to infect
other programs
by modifying
them to include a
possibly evolved
copy of itself
virus
Win32 PE file (.exe)
8
Historical Glimpse of Malware
• “Elk Cloner”
– 1982: First PC virus
– Displayed poem after 50th reset
• Morris Worm
– 1988: A network program that attacked many
different vulnerabilities to compromise
machine
• Blaster Worm
– 2004: Typical unpatched UVa CS machine
compromised ~1 to 2 minutes
9
Virus Infection (PE files)
• Easiest way is to prepend while
overwriting host application beginning
– Original application will not work
• Can append into last section of PE file
– Change entry point to beginning of the virus
– Insert jmp at entry point to jump to the virus
• Virus writers need something more to fight
detection
10
Armored Viruses
• Encryption
– Thwarts disassembly
– Can hide virus code
; From W95/Mad.2736 Virus
; mov
src, dest
mov
ecx, LENGTH_OF_VIRUS
xor
[edi], al
inc
edi
loop
Decrypt
Decrypt:
; key is in al
; decrement ecx
11
Detecting Encrypted Viruses
• Polymorphic viruses mutate decryptors
• Static decryptors are easier to detect
– Advanced polymorphic virus decryptors can
still be statically detected
• MtE has a constant, conditional backwards jump
– Use wildcards in matching algorithm (e.g.,
0x75 ?? 0xBF)
12
More complicated Decryption
Decryptor
Decryptor
Decryptor
Decryptor n
Decryptor
13
Other complicating methods of
Decryption
• Virus can use brute force to decrypt (no
key needed)
• Multiple layers of encryption
• Key can slide, shift
• Non-linear decryption (substitution)
• Debuggers can modify decryption code
(e.g., when decryption code is used as
key)
– Emulators may optimize decryption code
14
X-RAY detection
• X-RAY
– Attacking the encryption of the virus code
• Virus encryption is usually weak
• Only have a few seconds (make it fast)
P
e8
00
00
5d
C
71
99
99
c4
If XOR is only encryption
used, how can we
quickly determine key?
15
Why X-RAY
•
•
•
•
Can be cheaper (faster) than emulation
Emulator may not be able to emulate virus
Decryptors can be buggy
Works on ~50% of recent Win32 viruses
16
X-RAY Overview
• Known-plaintext attack
– Assume we know virus body (or variant)
– Just need to know if the virus is really present
• Sliding x-ray
C
71
99
99
c4
25
C
71
99
99
c4
25
C
71
99
99
c4
25
…
17
X-RAY Approaches
• Key Recovery
– Guess key, then match
ciphertext to some part
of plaintext
• Key validation
– Recover several keys
or pieces of keys
– Do the keys match with
respect to given
encryption method?
P
C
e8
00
00
5d
^
^
^
^
71
99
99
c4
99
99
99
99
18
X-RAY Approaches
• Invariant scanning
– Can reduce ciphertext and then compare
against reduced plaintext
– Very fast
– Check Rc == Rp
C
71
99
99
c4
71
99
99
Rc =
e8
C ^ (C>>1)
00
5d
C >> 1
P
c4
00
00
5d
e8
00
00
Rp =
e8
P ^ (P>>1)
00
5d
P >> 1
e8
5d
19
Invariant Example
Label each
plaintext character
P
Reduce
Ciphertext
C
Reduce Plaintext
p0
p1
p2
p3
e8
00
00
5d
E8^99 00^99 00^99 5d^99
C >> 1
E8^99 00^99 00^99 5d^99
Rc =
C ^ (C>>1)
p0^p1 p1^p2 p2^p3
P
p1
p2
p3
p0
p1
p2
p0
P >> 1
Rp =
P ^ (P>>1)
p3
p0^p1 p1^p2 p2^p3
20
How to apply X-RAYing
• Want to filter out files for X-RAYing
– Use file geometry, positions and sizes of
segments that characterize infected objects
(e.g., virus decryptor, virus body, min/max size
of decryptor, min infected file size, …)
– Use frequency analysis
• Encrypted bytes will have fairly random distribution
• Look at ratio of zero bytes to non-zero bytes
21
How to apply X-RAYing
• Choice of signatures
– Look at segments from begin, middle, and end
of last section
• Length of signatures
– Related to unicity distance
– If a virus has a max key length of n bits, add n
bits to plaintext signature
– Want to avoid false positives
• Misalignment (e.g., sub on 4 bytes instead of single
bytes)
22
•
W95/Perenast
XOR cipher
To encrypt:
1. XOR dword (32 bits) of virus with a key
2. Add encrypted value to key to produce next
key
3. Rotate key i times (later variants did this)
•
1011 rotated 1 time to right: 1101
4. Jump to step 1 if virus not encrypted
•
To X-RAY:
– XOR first 2 dwords of ciphertext with first 2
dwords of plaintext
– Compute the difference (may need to rotate
23
second dword value if key was rotated)
W32/Efish.A
Substitution Cipher
• Uses a 256 byte substitution table
– Key size of XOR: 256 bits
– Key size of 16x16 byte substitution table: 256!
possible tables
• Use geometry of file
– If a duplicate byte value occurs within 256 bytes
of its duplicate, then the 256 bytes cannot be
the key
– Have to do this fast!
24
X-RAY Problems
• Multiple layers of encryption with a changing
key are too expensive to X-RAY
• If each layer of encryption uses a fixed key
with simple operations (e.g., XOR, ROR,
etc.), then X-RAYing can be done
• Unaligned layers cause too much diffusion
25
W32/Magistr
More Advanced X-RAY techniques
• Many operations such as XOR, ADD, shifts,
etc. are often used to modify the key each
round (“running keys”)
• Can X-RAY by trying each possible
operation, but it needs more data
For i = 0 to VIRUS_SIZE
p[i] = c[i] ^ k1
k1 = k1 + k2
k1 = k1 rol k3
end for
(these 2 lines can
can be swapped)
26
W32/Magistr
// encrypting virus code
For i = 0 to VIRUS_SIZE
p[i] = c[i] ^ k1
k1 = k1 + k2
k1 = k1 rol k3
end for
(these 2 lines can
can be swapped)
• Assume order is ADD
then ROL
• XOR 2nd encrypted
dword (try all 31 ROL
arguments)
• For some i in the 31
ROL results, result - k1
yields ADD value (k2)
• Check by encrypting
3rd dword of plaintext
27
Homophonic Cipher
• NOON could encrypt to ERTY
• Notice N and O encrypt to 2 different
ciphertext letters
• Will work as long as each ciphertext symbol
maps to a unique plaintext symbol
• Hides frequency distribution
28
W32/Efish.C
Homophonic Cipher
• Build decryption keys
– For each ci and pi, record decryption key
– If 2 distinct plaintext values map to the same
decryption key, cipher is not substitution or
homophonic
– If there are multiple encrypted values for a given
plaintext element, it’s homophonic
– Brute force for this is SLOW
29
W32/Efish.C
Attacking PRNG
• Using timestamps, C rand() function is bad
• Take care to seed PRNG well
• Efish.C uses a PRNG named the Mersenne
Twister
– With 94% chance, a random substitution table is
used, or
– 6% of the time, it searches for an unused
plaintext byte
30
W32/Efish.C
Attacking PRNG
• After ~350 bytes, the chance of an unused
byte is less than 10-9
– So after the 350th byte, it’s just a substitution
cipher
• Use frequency analysis, determine if a virus
uses a simple substitution cipher
– If frequencies are not preserved, we know it’s
not a substitution cipher
31
Questions?
(Make sure you got leaked
document on midterm and copy
of X-RAY paper)
32
W32/Efish.A
Scanning for duplicate bytes
0
1
2
3
4
…
52
f2
ce
f2
09
…
• Naïve solution
– Consider first 5 bytes, if duplicate found, slide 5byte window one position down
– It takes 4 bytes to stop the scan on first scan
– It takes 3 bytes to stop for the next scan, and
it’s the first 2 bytes
– End up looking at same bytes multiple times
33
W32/Efish.A
More Efficient Scanning
0
1
2
…
431
…
442
…
52
f2
ce
…
08
…
08
…
• Better solution
– Start from end
– If duplicate seen, slide window down 256 –
examined bytes
• If positions 442 and 431 are the first duplicates, we
can start scanning at position 432
• On average, it takes ~20 bytes to find duplicate
34
Other X-RAY Options
• For W95/Perenast, the encryption is
encrypt:
c=p^k
k=k–c
loop encrypt
• If p == 0, then k becomes 0
• If any bits in p are 0, then those bits become
0 in k
35
W32/Bagif
•
Used 2 layers of encryption
– First layer is a polymorphic decryptor that
builds a second layer decryptor that decrypts
virus body
•
For 2nd layer, to encrypt:
1.
2.
3.
4.
5.
Initialize counter to VIRUS_SIZE
XOR byte with last 8 bits of 32-bit key
Rotate key right by one bit
Subract counter from key, decrement counter
Jump to step 2 if counter not 0
36
X-RAYing W32/Bagif
•
To X-RAY, do reverse:
1. We can quickly get last 8 bits of key, k,
from last byte of virus body
•
last encrypted virus byte XOR last plaintext
virus byte (set c = 2)
2. Set k = c + k, then increment c
3. Rotate k left by one bit
4. XOR ciphertext byte with known 7 bits of
key plus 1 unknown bit
5. Jump to step 2 if counter not
VIRUS_SIZE
37
Multiple Layers of Encryption
• Recover code and data keys from decryptor
• Recover code key to X-RAY data key (check
for often-used opcodes in decryptor)
• Data key usually spread through many
instructions
– May need emulator
38
Download
advertisement