New Methods and Combinatorics for Bypassing Intrusion Prevention Technologies

Transcription

1 Advanced Evasion Techniques New Methods and Combinatorics for Bypassing Intrusion Prevention Technologies Mark Boltz, Mika Jalava, Jack Walsh (ICSA Labs) Stonesoft Corporation Stonesoft Corporation International Headquarters Itälahdenkatu 22 A Fl-0021O Helsinki, Finland tel fax Stonesoft Inc. Americas Headquarters 1050 Crown Pointe Parkway, Suite 900 Atlanta, GA 30338, USA tel fax

2 Table of Contents Abstract 3 The Authors 3 Network Security 4 Role of Intrusion Detection and Prevention 5 Evasions 6 Networking Standards 6 Evasion Research 6 Normalization 7 Advanced Evasion Techniques 8 Conclusion 9 ICSA Labs Research Contribution 9 References 11 Research Paper Advanced Evasion Techniques page 2

3 Abstract The complexity of today s network environments presents challenges to managing information security systems. Intrusion detection and prevention systems (IPS) provide protection, particularly to systems that must be left vulnerable because they cannot be updated without adverse risks. For almost as long as there has been IPS technology, there have been attempts to evade detection by such systems. However, the evasion techniques used by criminals and other bad actors has most likely been limited to a handful of techniques that are wellknown. Stonesoft found evasion techniques that extend earlier research to include a new set of techniques and combinations of the prior techniques. Together, these advanced evasion techniques (AETs) prey upon protocol weaknesses and the permissive nature of network-based communication, exponentially increasing the number of evasions that can bypass even the most up-to-date IPS technologies. The Authors Mark Boltz is a senior solutions architect with Stonesoft Corporation. He has over 20 years of experience in information technology, with over 18 years specializing in network security. He holds CISSP and CISA certifications, and is pursuing a master s degree in information technology. Mika Jalava is the chief technical officer (CTO) of Stonesoft Corporation. Jack Walsh is Anti-SPAM and Network IPS Program Manager for ICSA Labs, an independent division of Verizon Business. Research Paper Advanced Evasion Techniques page 3

4 Network Security Security in computer networks depends on a surprisingly large number of factors. This is true even if we limit our scope to defending against active, network-based attacks. The variety of controls that network, server, and security administrators must understand and correctly use to defend their organizations against an evolving threat landscape can be intimidating. Networking devices, server operating systems and applications must be up to date and correctly configured. Access controls must be properly applied. The network must be segmented to provide protection and minimize the damage that may result from possible compromise. Firewall rules must allow only the services required by the organization. Logs from all the systems should be centrally collected, stored and analyzed for anomalous or unexpected behavior. Payment card and personal information must be protected according to the internal security policy as well as external compliance requirements. While all organizations may attempt to follow the steps above as well as other best practices, their network topology may preclude them from doing all that is in their best interest. Dynamic and poorly designed network services may not allow strict segmentation and firewall policies. Organizations, such as many industrial networks, may be limited in terms of what updates can be made to operating systems due to support for legacy software and protocols. The sheer volume of patches and new versions for operating systems and applications as well as their mutual compatibility may limit the organization s ability to adequately test them and keep pace. Research Paper Advanced Evasion Techniques page 4

5 Role of Intrusion Detection and Prevention To complement the fundamentally static, although ever-evolving protection provided by network firewalls, intrusion detection (IDS) and prevention systems (IPS) have been deployed. IDS and IPS technology help to mitigate concerns organizations have about the aforementioned issues. Unlike a firewall with its set of security policy rules that allow or disallow packets depending on their source, destination, protocol and other properties, IDS and IPS devices promise to inspect and allow all traffic to pass as long as no threat is detected. If a malicious connection is attempted, these devices will either alert the administrator (in the case of an IDS), or drop the connection (in the case of an IPS). The techniques used by these inspection-based security devices vary, but usually include protocol analysis and attack signatures that detect predetermined patterns in the network traffic caused by malicious exploits of vulnerabilities in one of the communicating systems. Figure 1: Basic Intrusion Prevention. The IPS inspects and disallows illegitimate packets. The number of known exploits and vulnerabilities is large and continues to grow rapidly. Thankfully, the inspection capabilities of IDS and IPS products are also evolving quickly. Generally, when a new enterpriserelevant exploit is discovered, detection methods are implemented in the inspection devices within a few days, even hours. Because they may be similar to others, some exploits may be detected and prevented with prior analytic capabilities. k Figure 2: Basic Intrusion Detection. The IPS inspects and reports illegitimate and suspicious packets. Research Paper Advanced Evasion Techniques page 5

6 Evasions What if the target system is vulnerable to an enterprise-relevant exploit, but the attacker cannot get his or her attack delivered because of a network-based detection system? Enter the evasion technique. The development of evasion techniques, or just evasions for short, has not gone unnoticed by those willing to misuse network resources. Evasions alter the attacker s question from, How do I hack the destination system? to How do I hack the system unnoticed? Networking Standards TCP/IP, the protocol suite used on the Internet and the vast majority of all computer networks, is based on the requirements from RFC 791 that was written in Among other things, the RFC says, In general, an implementation must be conservative in its sending behavior, and liberal in its receiving behavior. That is, it must be careful to send well-formed datagrams, but must accept any datagram that it can interpret (e.g., not object to technical errors where the meaning is still clear) (Postel, 1981, p. 23). That means there will be multiple ways to form messages that will be interpreted identically by the receiving host. While this permissive stance was intended to make interoperability between systems as reliable as possible, it at the same time paved the way for a number of attacks and ways to hide those and other attacks from detection. As different operating systems and applications behave in different ways when receiving packets, the destination host s application may see something quite different than what was in the network traffic. Also, the network itself between the detection system and the host may alter the traffic. By carefully exploiting these differences, in many cases, it is possible to construct packets in a way that looks normal and safe, but when interpreted by the end host, forms an exploit against it. In general, these techniques are called evasions. Evasion Research Evasion research took off in the late 1990 s. In their 1998 paper, Newsham and Ptacek presented a number of techniques that could be used to effectively evade detection systems. Since then, the area has had little new research and appeal to either security vendors or adversaries in the black hat community. One of the basic evasion techniques outlined by Newsham and Ptacek is centered on the challenges of IP fragmentation. IP fragmentation is also specified in RFC 791, and is required to ensure interoperability between systems and handling varying network topologies in between (Postel, 1981). In IP fragmentation evasions, the attacker takes advantage of scrambling fragments out-of-order, If we knew what we were doing, it wouldn t be called research. Albert Einstein Research Paper Advanced Evasion Techniques page 6

7 or by overwhelming the IPS with too many fragments, for example. They caution, an IDS that does not properly handle out-of-order fragments is vulnerable; an attacker can intentionally scramble her fragment streams to elude the IDS (Newsham & Ptacek, 1998). Furthermore, IDS systems are challenged by the fact that received fragments must be stored until the stream of fragments can be reassembled into an entire IP datagram (Newsham & Ptacek, 1998). The conclusion is that IDS and IPS architectures have to compensate for all the possible ways that the target system can potentially re-assemble the fragments, and the IPS has to cover all possibilities. If the IPS can t buffer enough fragments before applying signatures, or determine the possible re-sequencing, it no longer has the appropriate context, thus rewriting the stream on the IDS (Newsham & Ptacek, 1998). We refer to the change in context between the IPS and the target system as state de-synchronization. Other evasions already covered in their work in 1998 include various techniques involving IP options, TCP options, and TCP sequencing. These are covered in detail in their paper and are noted here to provide further background into the age of these evasion techniques. Many of the evasion techniques presented in that paper from 1998 are still effective against today s IPS systems. This surprising fact should give you some idea about the level of interest and attention that evasions have so far received among security vendors. Laboratories involved in certification testing of security devices, such as ICSA Labs, have included a number of evasions in their IPS test suites. However, because the amount of new vulnerabilities and exploits is so overwhelming, the payoff for the attacker has been sufficiently high. This results in continued use of the latest exploits rather than attacks in conjunction with evasions to bypass network security protections. Normalization While security devices providing inspection services need to match attack signatures to the information being seen by the target host, they cannot simply observe the network traffic packet by packet. Similarly, it is not enough for security devices to place packets in the correct order and reassemble any fragments. Security devices must consider other possibilities like packets not received by the end host or protocols that can be decoded in multiple ways. The mechanism for handling this is called normalization, and was suggested in research from Handley and Paxson in 1999 and expanded in It is a task very much complicated by the policy set forth in RFC 791. Although the standard requires the sending host to be conservative, it is unreasonable to expect anything of the kind from malicious users. Also, while the target hosts are required by RFC 791 to be liberal in their receiving behavior, the further standards actually defining what this means are often ambiguous and simply allow too much variation. Handley and Paxson add that network traffic unfortunately often includes a nonnegligible proportion of highly unusual, but benign, traffic that will often result in false positives concerning possible evasion attempts (2001). And if different operating systems decode a given message in different ways, it is difficult for a security device to make correct decisions as a result of the normalization process. Research Paper Advanced Evasion Techniques page 7

8 Advanced Evasion Techniques At Stonesoft, our vulnerability research team has been deeply involved in improving our products, including the IPS. Disappointing test results with some existing evasions forced us to shift the team s emphasis towards evasion research. Comprised of experienced security professionals, the vulnerability research team was not satisfied merely by making the required fixes. They delved much deeper into the realm of evasions, and were quite surprised by the potential security risks that they found hidden there. The team s findings indicate that there are many more ways to desynchronize an IPS from network traffic with evasion techniques than had heretofore been publicly known. What that means is that the IPS has a different understanding of the protocol state from what the target host has. Because some of the methods discovered are rather simple, Stonesoft was initially quite worried that these evasions may well have already been discovered and actually used by criminals, unbeknownst to the existing crop of commercial IPS devices and the organizations where they are deployed. Other evasions are significantly more complicated, but nevertheless just as practical and effective. What may have slowed down evasion research is the fact that many of the attack and evasion tools have been limited by standard operating systems and their TCP/IP stacks. The limitations are to be expected, as these systems are supposed to follow the conservative sending behavior requirement. Freeing themselves from these limitations with special low-level tools, including TCP/IP stacks having greatly increased flexibility, the Stonesoft researchers soon discovered dozens of potential evasions. Testing these against a number of existing IPS and similar systems, Stonesoft also found that the techniques effectively evaded detection. The new evasions mostly build on well-known principles of de-synchronizing detection systems relying on the network view of the traffic, from the target host s perspective. Although the objective is the same, the methods vary. Evasion possibilities have been found on IP and transport (TCP, UDP) layers as well as on application layer protocols, including but not limited to SMB and RPC protocols. Although we cannot disclose the details of the advanced evasion techniques during the vulnerability coordination process led by CERT-FI, the validity of the findings has been verified through independent tests performed by ICSA Labs (see contribution note after the conclusion). The technical community will be provided further details on the techniques as soon as it is safe and responsible to do so. The effectiveness of the detection process, including normalization, is limited by the fact that the evasion methods can be combined. Unhindered by the operating system s limitations on sending malformed packets to the network, any modifications and combinations thereof can be easily tested in Stonesoft s laboratory environment against vulnerable host systems in conjunction with either a commercial IPS or other security devices (e.g., a network firewall). It is clear that these new evasions, along with the new ways to utilize them, add new requirements to the normalization process. It is no longer possible to rely on low level normalization only at the IP and transport layers as an increasing number of evasions show up at the application layer targeting multiple protocols. There are no rules here. We re trying to accomplish something. Thomas Edison Research Paper Advanced Evasion Techniques page 8

9 Conclusion The Stonesoft research team discovered the new evasion techniques in a lab environment rather than while investigating nefarious activities on the Internet. However, this does not mean that criminals or other bad actors had not already discovered and possibly been using these evasions against real world targets. After all, a large percentage of information security incidents actually go unnoticed. And according to the Verizon Business 2010 Data Breach Investigations Report, approximately 20% of incidents involving malware detected have an unknown component for the infection vector (Baker, et. al., 2010). Whether or not and to what extent this may have been as a result of advanced evasion techniques is of course impossible to say. It is quite probable though, especially in the more advanced, targeted attacks that unknown evasion tools may be in use. Stonesoft has found that it is possible to evade many, if not all, commercially available IPS s and certainly all that have been tested. Given their architecture, not all of them will be easily fixed. Most of the network security threats, and almost all serious ones, are caused by criminals motivated by money. As the rewards may be very high, the motivation to invest in the attacks and evasions certainly exists. These facts then beg some obvious questions: Why haven t more security vendors continued from where the last set of published research left off? Is the problem too difficult to tackle with the current security device architectures? Looking at the past, the main selling points and comparison metrics for security devices have been throughput performance and price. Yet the actual reason for inspection-based security devices is protection. It is curious then that the accuracy of inspection and efficiency of responses to detected attacks and evasions has been neglected by security vendors. While throughput is an important factor, it is still secondary to the security functionality or ought to be. Perhaps some security vendors believe that selling fast systems with seriously limited security functionality is too lucrative to risk by researching and resolving threats such as the evasions found by Stonesoft as they cannot be easily detected with performance-optimized systems. ICSA Labs Research Contribution For over 20 years ICSA Labs has tested hundreds of computer and network security products. During that time ICSA Labs has helped ensure that enterprise end users get the best possible protection as a result of rigorous, independent, third party testing of anti-virus, anti-spam, network intrusion prevention, firewall, FIPS-140, USGv6, SSL, IPsec, and many other kinds of products. It s not surprising then that Stonesoft contacted ICSA Labs to verify its research into the newly-found advanced evasion techniques (AETs). Through the use of video conferencing equipment, Stonesoft demonstrated its findings to ICSA Labs. Having packaged the evasions into an internal Stonesoft tool called Predator, ICSA Labs watched as attacks using the newly discovered advanced evasions successfully passed through IPS devices that were capable of detecting the original attack. Long proponents of responsible disclosure, Stonesoft and ICSA Labs then formulated a plan that would permit ICSA Labs to test the AETs while allowing the Predator tool and its evasion-related code to remain safely confined to Stonesoft s research lab in Finland. Research Paper Advanced Evasion Techniques page 9

10 Following the video conferencing demonstration of the Predator tool and some of evasion techniques, Stonesoft delivered traffic packet captures that their research team had created using the tool the same packet captures that CERT-FI made available to affected network security vendors. Vulnerability experts at ICSA Labs analyzed and confirmed that many of the evasions in those captures belonged to a new class of evasions not previously seen in public. ICSA Labs then confirmed, by properly replaying the traffic captures that the attacks disguised by the AETs were not detected by several well-known intrusion prevention systems. But to truly verify the AETs could evade detection and compromise systems, ICSA Labs needed a way for themselves to combine the AETs with actual attacks and launch them against vulnerable systems. To do so, ICSA Labs and Stonesoft set up a virtual private network (VPN) tunnel between Stonesoft s Helsinki, Finland headquarters and ICSA Labs Mechanicsburg, Pennsylvania testing laboratory. ICSA Labs used the VPN connection to access the Predator tool s graphical user interface. Picking and choosing from the Predator tool s many options, ICSA Labs was able to launch attacks coupled with the new AETs through several IPS devices against a vulnerable system. Of the dozen-or-so new evasions tested, ICSA Labs was able to confirm that many of the stealthy attacks passed through one or more of the tested commercial IPS devices undetected and successfully compromised the vulnerable systems. Research Paper Advanced Evasion Techniques page 10

11 References Baker, W., Goudie, M., Hutton, A., Hylender, C., Niemantsverdriet, J., Novak, C., Ostertag, D., Porter, C., Rosen, M., Sartin, B., Tippett, P. (2010). Verizon 2010 Data Breach Investigations Report. Verizon Business. Retrieved from rp_2010-data-breach-report_en_xg.pdf Caswell, B., Moore, H. D. (2006). Thermoptic Camouflage: Total IDS Evasion. Proceedings of the BlackHat Conference. Retrieved from 06-Caswell.pdf Chien, E., Falliere, N., Murchu, L. O. (2010). W32.Stuxnet Dossier. Symantec Security Response. Retrieved from stuxnet_dossier.pdf Gorton, S. A., Champion, T. G. (2003). Combining Evasion Techniques to Avoid Network Intrusion Detection Systems. Skaion Corporation. Retrieved from Handley, M., Kreibich, C., Paxson, V. (2001). Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-end Protocol Semantics. In Proceedings of the 10th USENIX Security Symposium. Vol. 10. Berkeley, CA: USENIX Association. pp Retrieved from Jang, Jong-Soo, Jeon, Yong-Hee, Oh, Jin-Tae, Park, Sang-Kil. (2007). Detection of DDoS and IDS Evasion Attacks in a High-Speed Networks Environment. In International Journal of Computer Science and Network Security. Vol. 7, No. 6. Retrieved from book/200706/ pdf Newsham, Timothy N., Ptacek, Thomas H. (1998). Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Secure Networks, Inc. Retrieved from stf/secnet_ids/secnet_ids.html Pazos-Revilla, M.. FPGA based fuzzy intrusion detection system for network security. M.S. dissertation, Tennessee Technological University, United States -- Tennessee. Retrieved from Dissertations & Theses: Full Text. (Publication No. AAT ). Postel, J. (1981). RFC 791: Internet Protocol. DARPA Internet Program Protocol Specification. Internet Engineering Task Force. Retrieved from Research Paper Advanced Evasion Techniques page 11

12 About Stonesoft Stonesoft Corporation (NASDAQ OMX: SFT1V) is an innovative provider of integrated network security solutions to secure the information flow of distributed organizations. Stonesoft customers include enterprises with growing business needs requiring advanced network security and always-on business connectivity. StoneGate secure connectivity solution unifies firewall, VPN, IPS and SSL VPN blending network security, end-to-end availability and award-winning load balancing into a unified and centrally managed system. The key benefits of StoneGatesecure connectivity solution include low TCO, excellent price-performance ratio and high ROI. The virtual StoneGate solution protects the network and ensures business continuity in both virtual and physical network environments. StoneGate Management Center provides unified management for StoneGate Firewall with VPN, IPS, and SSL VPN. StoneGate Firewall and IPS work together to provide intelligent defence all over the enterprise network while StoneGate SSL VPN provides enhanced security for mobile and remote use. Founded in 1990, Stonesoft Corporation is a global company with corporate headquarters in Helsinki, Finland and Americas headquarters in Atlanta, Georgia. For more information, visit Copyright 2010 Stonesoft Corporation. All rights reserved. All specifications are subject to change. Stonesoft Corporation International Headquarters Itälahdenkatu 22 A Fl-0021O Helsinki, Finland tel fax Stonesoft Inc. Americas Headquarters 1050 Crown Pointe Parkway, Suite 900 Atlanta, GA 30338, USA tel fax