Part I PS 3 discussion of SPINS paper CS 588 February 22, 2005 nate@cs.virginia.edu 1 Scenario High-power base station Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly 2 Message Authentication Code (MAC) • Essentially a one-way hash function with a key, k • Used for message integrity and authentication – If m is altered to m’ then MAC(m) ≠ MAC(m’) – Only those that know k can create correct MAC 3 Cryptographic Hash Chains f is a one-way function: easy to calculate f(x), but difficult to invert f. Kj = f (Kj+1) f K1 = f (f (f (x))) f K2 = f (f (x)) f x K3 = f (x) time Initially store: K0 = f4(x) K1 = f3(x) verify f (K1) = f(f3(x)) = K0 K2 = f2(x) verify f 2(K2) = f2(f2(x)) = K0 4 µTesla [Perrig, et. al., 2002] • Initially: sensor nodes know K0 = fn(x) base station knows x • Base station messages encrypted using K1 = fn-1(x) • Nodes store and time stamp messages, but cannot decrypt them (yet) • At time t1, base station broadcasts K1 • Nodes verify f (K1) = K0 • Nodes use K1 to decrypt earlier messages • Nodes and base station must have loosely synchronized clocks: cannot accept messages 5 encrypted with K1 after K1 was revealed Part II Viruses and Cryptography Principles and Practise of X-RAYING F. Perriot, P. Ferrie Virus Bulletin, Sept. 2004 6 Lessons to Learn • Simple methods of encryption are prevalent • Viruses provide good applications of things you have seen in this class so far • Another security trade-off – Resources in sensornets – Speed in virus scanning 7 Introduction • Cohen’s definition of a virus – A program that is able to infect other programs by modifying them to include a possibly evolved copy of itself virus Win32 PE file (.exe) 8 Historical Glimpse of Malware • “Elk Cloner” – 1982: First PC virus – Displayed poem after 50th reset • Morris Worm – 1988: A network program that attacked many different vulnerabilities to compromise machine • Blaster Worm – 2004: Typical unpatched UVa CS machine compromised ~1 to 2 minutes 9 Virus Infection (PE files) • Easiest way is to prepend while overwriting host application beginning – Original application will not work • Can append into last section of PE file – Change entry point to beginning of the virus – Insert jmp at entry point to jump to the virus • Virus writers need something more to fight detection 10 Armored Viruses • Encryption – Thwarts disassembly – Can hide virus code ; From W95/Mad.2736 Virus ; mov src, dest mov ecx, LENGTH_OF_VIRUS xor [edi], al inc edi loop Decrypt Decrypt: ; key is in al ; decrement ecx 11 Detecting Encrypted Viruses • Polymorphic viruses mutate decryptors • Static decryptors are easier to detect – Advanced polymorphic virus decryptors can still be statically detected • MtE has a constant, conditional backwards jump – Use wildcards in matching algorithm (e.g., 0x75 ?? 0xBF) 12 More complicated Decryption Decryptor Decryptor Decryptor Decryptor n Decryptor 13 Other complicating methods of Decryption • Virus can use brute force to decrypt (no key needed) • Multiple layers of encryption • Key can slide, shift • Non-linear decryption (substitution) • Debuggers can modify decryption code (e.g., when decryption code is used as key) – Emulators may optimize decryption code 14 X-RAY detection • X-RAY – Attacking the encryption of the virus code • Virus encryption is usually weak • Only have a few seconds (make it fast) P e8 00 00 5d C 71 99 99 c4 If XOR is only encryption used, how can we quickly determine key? 15 Why X-RAY • • • • Can be cheaper (faster) than emulation Emulator may not be able to emulate virus Decryptors can be buggy Works on ~50% of recent Win32 viruses 16 X-RAY Overview • Known-plaintext attack – Assume we know virus body (or variant) – Just need to know if the virus is really present • Sliding x-ray C 71 99 99 c4 25 C 71 99 99 c4 25 C 71 99 99 c4 25 … 17 X-RAY Approaches • Key Recovery – Guess key, then match ciphertext to some part of plaintext • Key validation – Recover several keys or pieces of keys – Do the keys match with respect to given encryption method? P C e8 00 00 5d ^ ^ ^ ^ 71 99 99 c4 99 99 99 99 18 X-RAY Approaches • Invariant scanning – Can reduce ciphertext and then compare against reduced plaintext – Very fast – Check Rc == Rp C 71 99 99 c4 71 99 99 Rc = e8 C ^ (C>>1) 00 5d C >> 1 P c4 00 00 5d e8 00 00 Rp = e8 P ^ (P>>1) 00 5d P >> 1 e8 5d 19 Invariant Example Label each plaintext character P Reduce Ciphertext C Reduce Plaintext p0 p1 p2 p3 e8 00 00 5d E8^99 00^99 00^99 5d^99 C >> 1 E8^99 00^99 00^99 5d^99 Rc = C ^ (C>>1) p0^p1 p1^p2 p2^p3 P p1 p2 p3 p0 p1 p2 p0 P >> 1 Rp = P ^ (P>>1) p3 p0^p1 p1^p2 p2^p3 20 How to apply X-RAYing • Want to filter out files for X-RAYing – Use file geometry, positions and sizes of segments that characterize infected objects (e.g., virus decryptor, virus body, min/max size of decryptor, min infected file size, …) – Use frequency analysis • Encrypted bytes will have fairly random distribution • Look at ratio of zero bytes to non-zero bytes 21 How to apply X-RAYing • Choice of signatures – Look at segments from begin, middle, and end of last section • Length of signatures – Related to unicity distance – If a virus has a max key length of n bits, add n bits to plaintext signature – Want to avoid false positives • Misalignment (e.g., sub on 4 bytes instead of single bytes) 22 • W95/Perenast XOR cipher To encrypt: 1. XOR dword (32 bits) of virus with a key 2. Add encrypted value to key to produce next key 3. Rotate key i times (later variants did this) • 1011 rotated 1 time to right: 1101 4. Jump to step 1 if virus not encrypted • To X-RAY: – XOR first 2 dwords of ciphertext with first 2 dwords of plaintext – Compute the difference (may need to rotate 23 second dword value if key was rotated) W32/Efish.A Substitution Cipher • Uses a 256 byte substitution table – Key size of XOR: 256 bits – Key size of 16x16 byte substitution table: 256! possible tables • Use geometry of file – If a duplicate byte value occurs within 256 bytes of its duplicate, then the 256 bytes cannot be the key – Have to do this fast! 24 X-RAY Problems • Multiple layers of encryption with a changing key are too expensive to X-RAY • If each layer of encryption uses a fixed key with simple operations (e.g., XOR, ROR, etc.), then X-RAYing can be done • Unaligned layers cause too much diffusion 25 W32/Magistr More Advanced X-RAY techniques • Many operations such as XOR, ADD, shifts, etc. are often used to modify the key each round (“running keys”) • Can X-RAY by trying each possible operation, but it needs more data For i = 0 to VIRUS_SIZE p[i] = c[i] ^ k1 k1 = k1 + k2 k1 = k1 rol k3 end for (these 2 lines can can be swapped) 26 W32/Magistr // encrypting virus code For i = 0 to VIRUS_SIZE p[i] = c[i] ^ k1 k1 = k1 + k2 k1 = k1 rol k3 end for (these 2 lines can can be swapped) • Assume order is ADD then ROL • XOR 2nd encrypted dword (try all 31 ROL arguments) • For some i in the 31 ROL results, result - k1 yields ADD value (k2) • Check by encrypting 3rd dword of plaintext 27 Homophonic Cipher • NOON could encrypt to ERTY • Notice N and O encrypt to 2 different ciphertext letters • Will work as long as each ciphertext symbol maps to a unique plaintext symbol • Hides frequency distribution 28 W32/Efish.C Homophonic Cipher • Build decryption keys – For each ci and pi, record decryption key – If 2 distinct plaintext values map to the same decryption key, cipher is not substitution or homophonic – If there are multiple encrypted values for a given plaintext element, it’s homophonic – Brute force for this is SLOW 29 W32/Efish.C Attacking PRNG • Using timestamps, C rand() function is bad • Take care to seed PRNG well • Efish.C uses a PRNG named the Mersenne Twister – With 94% chance, a random substitution table is used, or – 6% of the time, it searches for an unused plaintext byte 30 W32/Efish.C Attacking PRNG • After ~350 bytes, the chance of an unused byte is less than 10-9 – So after the 350th byte, it’s just a substitution cipher • Use frequency analysis, determine if a virus uses a simple substitution cipher – If frequencies are not preserved, we know it’s not a substitution cipher 31 Questions? (Make sure you got leaked document on midterm and copy of X-RAY paper) 32 W32/Efish.A Scanning for duplicate bytes 0 1 2 3 4 … 52 f2 ce f2 09 … • Naïve solution – Consider first 5 bytes, if duplicate found, slide 5byte window one position down – It takes 4 bytes to stop the scan on first scan – It takes 3 bytes to stop for the next scan, and it’s the first 2 bytes – End up looking at same bytes multiple times 33 W32/Efish.A More Efficient Scanning 0 1 2 … 431 … 442 … 52 f2 ce … 08 … 08 … • Better solution – Start from end – If duplicate seen, slide window down 256 – examined bytes • If positions 442 and 431 are the first duplicates, we can start scanning at position 432 • On average, it takes ~20 bytes to find duplicate 34 Other X-RAY Options • For W95/Perenast, the encryption is encrypt: c=p^k k=k–c loop encrypt • If p == 0, then k becomes 0 • If any bits in p are 0, then those bits become 0 in k 35 W32/Bagif • Used 2 layers of encryption – First layer is a polymorphic decryptor that builds a second layer decryptor that decrypts virus body • For 2nd layer, to encrypt: 1. 2. 3. 4. 5. Initialize counter to VIRUS_SIZE XOR byte with last 8 bits of 32-bit key Rotate key right by one bit Subract counter from key, decrement counter Jump to step 2 if counter not 0 36 X-RAYing W32/Bagif • To X-RAY, do reverse: 1. We can quickly get last 8 bits of key, k, from last byte of virus body • last encrypted virus byte XOR last plaintext virus byte (set c = 2) 2. Set k = c + k, then increment c 3. Rotate k left by one bit 4. XOR ciphertext byte with known 7 bits of key plus 1 unknown bit 5. Jump to step 2 if counter not VIRUS_SIZE 37 Multiple Layers of Encryption • Recover code and data keys from decryptor • Recover code key to X-RAY data key (check for often-used opcodes in decryptor) • Data key usually spread through many instructions – May need emulator 38