Polymorphic Shellcodes vs. Application IDSs



Similar documents
Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Access EEC s Web Applications... 2 View Messages from EEC... 3 Sign In as a Returning User... 3

CSE 231 Fall 2015 Computer Project #4

Licensing Windows Server 2012 R2 for use with virtualization technologies

Configuring BMC AREA LDAP Using AD domain credentials for the BMC Windows User Tool

Traffic monitoring on ProCurve switches with sflow and InMon Traffic Sentinel

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

TRAINING GUIDE. Crystal Reports for Work

METU. Computer Engineering

WHITE PAPER. Vendor Managed Inventory (VMI) is Not Just for A Items

CallRex 4.2 Installation Guide

Licensing Windows Server 2012 for use with virtualization technologies

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)

Integrating With incontact dbprovider & Screen Pops

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

Welcome to Remote Access Services (RAS)

Typical Interview Questions and Answers

Serv-U Distributed Architecture Guide

Frequently Asked Questions November 19, Which browsers are compatible with the Global Patent Search Network (GPSN)?

Deployment Overview (Installation):

Service Desk Self Service Overview

o How AD Query Works o Installation Requirements o Inserting your License Key o Selecting and Changing your Search Domain

Considerations for Success in Workflow Automation. Automating Workflows with KwikTag by ImageTag

Retirement Planning Options Annuities

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

A Beginner s Guide to Building Virtual Web Servers

efusion Table of Contents

Diagnosis and Troubleshooting

Live Analytics for Kaltura Live Streaming Information Guide. Version: Jupiter

The actions discussed below in this Appendix assume that the firm has already taken three foundation steps:

Accident Investigation

FINRA Regulation Filing Application Batch Submissions

ABELMed Platform Setup Conventions

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall

Using Sentry-go Enterprise/ASPX for Sentry-go Quick & Plus! monitors

Attunity RepliWeb SSL Guide

GETTING STARTED With the Control Panel Table of Contents

Derivative Markets and Instruments

X7500 Series, X4500 Scanner Series MFPs: LDAP Address Book and Authentication Configuration and Basic Troubleshooting Tips

Configuring SSL and TLS Decryption in ngeniusone

Helpdesk Support Tickets & Knowledgebase

1.3. The Mean Temperature Difference

Ten Steps for an Easy Install of the eg Enterprise Suite

esupport Quick Start Guide

The AppSec How-To: Choosing a SAST Tool

ATL: Atlas Transformation Language. ATL Installation Guide

Best Practice - Pentaho BA for High Availability

:: ADMIN HELP AT A GLANCE Contents

Emulated Single-Sign-On in LISTSERV Rev: 15 Jan 2010

LISTSERV ADMINISTRATION Department of Client Services Information Technology Systems Division

Lab 12A Configuring Single Sign On Service

Setup PPD IT How-to Guides June 2010

How To Set Up A General Ledger In Korea

How do I evaluate the quality of my wireless connection?

Disk Redundancy (RAID)

Welcome to Microsoft Access Basics Tutorial

LeadStreet Broker Guide

HOWTO: How to configure SSL VPN tunnel gateway (office) to gateway

LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide

Using PayPal Website Payments Pro UK with ProductCart

Trends and Considerations in Currency Recycle Devices. What is a Currency Recycle Device? November 2003

For students to participate in BYOD please follow these two steps

KIK s GUIDE FOR LAW ENFORCEMENT

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

Chapter - 3. Cable Connections

Software Distribution

PBX Remote Line Extension using Mediatrix 4104 and 1204 June 22, 2011

HIPAA HITECH ACT Compliance, Review and Training Services

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

FAQ Frequently Asked Questions & Answers for using the online assessment platform of ΜanpowerGroup

Serv-U Distributed Architecture Guide

New York University Computer Science Department Courant Institute of Mathematical Sciences

Customers FAQs for Webroot SecureAnywhere Identity Shield

FAQs for Webroot SecureAnywhere Identity Shield

RECOMMENDATIONS SECURITY ONLINE BANK TRANSACTIONS. interests in the use of IT services, such as online bank services of Société Générale de Banques au

CMT for Coexistence Release Notes

Remote Desktop Tutorial. By: Virginia Ginny Morris

College Counseling Policies

Information & Communications Technology ICT Security Compliance Guide (Student)

Understand Business Continuity

A Guide for Writing Reflections

Issue Brief. SBC Distribution Rules for Employer Sponsored Health Plans October Summary. Which Plans Are Required to Provide the SBC?

iphone Mobile Application Guide Version 2.2.2

Release Notes. Dell SonicWALL Security 8.0 firmware is supported on the following appliances: Dell SonicWALL Security 200

Dial Backup for Dedicated T1 Circuits using the ATLAS

Installation Guide Marshal Reporting Console

Blue Link Solutions Terminal Server Configuration How to Install Blue Link Solutions in a Terminal Server Environment

OUTLOOK All About Archives

Getting started with Android

HP Connected Backup Online Help. Version October 2012

Transcription:

http://www.ngsec.cm Plymrphic Shellcdes vs. Applicatin IDSs 1. Intrductin. 2. Shellcde types and recgnitin techniques. 3. Intrusin Detectin Systems. 4. NGSecureWeb. 5. References. 6. Credits. Page 1 f 6

http://www.ngsec.cm 1. Intrductin. This dcument fcuses n hw IDS, under certain circumstances, can detect Plymrphic shellcdes. We will g thrugh the three main parts f a plymrphic shellcde and analyze IDS cmmn prblems t detect them. 2. Shellcde types and recgnitin techniques. We will discuss shellcdes referring t IA32 platfrms. Please nte that all these techniques can be implemented n ther platfrms such as SPARC, HPPA, MIPS, etc. Befre plymrphic appeared, regular shellcdes had tw well-defined sectins: NOP sectin: This is the sectin where the prgram will jump when a cmmn buffer verflw is successfully explited. It is just a huge amunt f NOP instructins. Shellcde paylad: This is the sectin where gets executed /bin/sh, binds a shell t a TCP prt, etc. These shellcdes are very easy t detect. On the past years it was very cmmn t use 0x90 instructins (np) n IA32 platfrms in the NOP sectin. S IDS just searched fr an X amunt f 0x90s and triggered a shellcde alarm. Als, sme IDS have signatures (such as /bin/sh) t detect the shellcde paylad. When plymrphic shellcdes appeared these techniques became bslete. Plymrphic shellcdes have three well-defined sectins: NOP sectin: This sectin nw is a randm mix f n-effect instructins such as inc %eax, inc %ebx, pp %eax, np, dec %eax, Decrypter engine: This sectin cntains an engine t decrypt the shellcde paylad. This engine is nt the same frm ne shellcde t anther, it varies randmly using sme virii plymrphic techniques. The cipher used nrmally is a xr mechanism r a duble xr mechanism, it culd be implemented a better ciphering mechanism such as RJINDAEL, but shellcde wuld grw in sme thusands f bytes and wuld nt be useful anymre in many buffer verflw explitatins. Encrypted shellcde paylad: This sectin has the riginal shellcde encrypted. Page 2 f 6

http://www.ngsec.cm This kind f shellcde is harder, thugh nt impssible t detect. There has been sme discussin n hw t detect such shellcdes: Shellcde paylad decrypt and detectin with ld shellcde paylad signatures: This technique, used by antivirus t detect viral cde, can be an apprached t detect these shellcdes. But it has sme pen issues: Hw d yu detect it is an encrypted shellcde paylad? Which cipher mechanism uses? Which key(s) are used in the cipher mechanism? Can it be brute-frced in lw time? Signatures t detect the decrypter engine: This technique culd be a better apprach, but has sme prblems t: Since decrypter engine mutates and t many instructins are invlved, IDS wuld have t check t many signatures (mask). Lts f false psitives. T many CPU cycles and time needed. Decrypter engine emulatin: IDS is emulating the cde s if it finds cde that seems t decrypt smething in memry it raises a shellcde alarm. This technique raises lw number f false psitives but has a strng weakness: T many CPU cycles and time needed. NOPS sectin detectin: INMHO this is the best technique, it just tries t detect a NOP_NUMBER number f n-effect instructins. It has sme issues such as many false psitive, but if yu set NOP_NUMBER t a range between 50-60, recgnizes almst every shellcde. Weaknesses: Lts f CPU cycles. False psitive when NOP_NUMBER is lw. Since sme nn-effect instructins have ascii representatin, sme character strings such as AAAAA 60times A, wuld be recgnized as shellcdes. Page 3 f 6

http://www.ngsec.cm It is very imprtant t set NOP_NUMBER t a reasnable value in rder t avid t many false psitives. Thrughut NGSEC s benchmark test we fund that a number ranging 50-60 was a gd value t detect shellcdes withut t many false psitives. Yu can grab a free simple Netwrk IDS that implements this technique at: http://www.ngsec.cm/dwnlads/misc/nidsfindshellcde.tgz 3. Intrusin Detectin Systems: There are mainly three types f Intrusin Detectin Systems: Netwrk IDS: This type f IDS grabs datagrams frm a netwrk interface and lks fr attack patterns in them (such as prt scanning, cgi explitatin, etc). Hst IDS: This type f IDS lks fr patterns in lcal user actins; e.g. if a user is trying t view such file as /rt/.rhsts, this actin culd clearly be identified as an attack pattern. Applicatin IDS: This type f IDS has recently appeared. It just lks fr attack patterns t all the input data that cmes t the applicatin. Implementing the NOPS sectin detectin n these types f IDS has, as usual, pen issues: Netwrk IDS: Since it has t grab as many datagrams as it can, it can t waste t much time lking at every packet, because it culd drp t many datagrams while lking fr NOPS. This wuld cause a big decrease n IDS perfrmance. Hst IDS: This technique can be implemented with these type f IDS s, but there are better ways f buffer verflw explitatin detectin, since yu can watch the flw f the prgram and see when return pinter is changed. Applicatin IDS: This is the best kind f IDS t implement this technique. Since all input data is checked, n drp f data is pssible, and nrmally nt many data is checked (lw CPU and time t check) yu can recgnize almst all plymrphic shellcdes at input data. Yu have t set the NOP_NUMBER t a value that fits better with yur prtcl, and nrmal data input. Page 4 f 6

http://www.ngsec.cm 4. NGSecureWeb : The NOP detectin technique was successfully implemented in NGSecureWeb : An Applicatin IDS and firewall fr Web Servers. NGSecureWeb is the result f the fusin f tw security technlgies: Firewalls and IDSs. NGSW filters all traffic frm client t the web-server, lking fr well-knwn attacks t web-servers and t its third party applicatins. When NGSW detects a pssible attack (acts as an Applicatin IDS), it will refuse t frward it t the web server (acts as an Applicatin Firewall). NGSW will prtect yur system frm bth knwn and unknwn vulnerabilities, since its IDS engine lks fr patterns f well-knwn attacks. Future security flaws in this web-server and its applicatins will nt be explitable. Currently NGSW IDS engine checks fr the fllwing patterns: Directry traversal attacks: During the past few years many CGI applicatins have suffered this kind f vulnerabilities, especially the nes invlved in file managing. NGSW Firewall engine will prtect bth fr knwn and unknwn vulnerabilities. Frbidden Wrds: NGSW will search the entire request fr frbidden wrds (defined by the Administratr). Fr example, it isn t cmmn t find the wrd "/bin/sh" in an HTTP request. NGSW IDS engine detects these wrds and NGSW Firewall engine blcks the request t the web-server. Shellcde: NGSW IDS engine uses the newest techniques in shellcde recgnitin (even plymrphic nes). Lng Headers (buffer verflws): NGSW IDS engine will check the length f all HTTP headers lking fr unusual values. Lng GET (buffer verflws): NGSW IDS engine will check the length f the GET arguments lking fr unusual high values. These high values culd be due f buffer verflw explitatin. Lng POST (buffer verflws): NGSW IDS engine will check the length f the URL arguments lking fr unusual high values. These high values culd be due f buffer verflw explitatin. Lng URL (buffer verflws): NGSW IDS engine will check the length f the URL lking fr unusual high values. These high values culd be due f buffer verflw explitatin. Current versin is 1.00. Please direct any enquiries t ngsw@ngsec.cm Page 5 f 6

http://www.ngsec.cm 5. References: [1] NGSecureWeb at http://www.ngsec.cm [2] ADM mutate at http://www.ktw.ca/security.html [3] Fcus-IDS at http://www.securityfcus.cm/ 6. Credits: This dcument was brught t yu by: Fermín J. Serna < fjserna@ngsec.cm > Chief Technlgy Officer Next Generatin Security Technlgies http://www.ngsec.cm NGSEC Research Team < labs@ngsec.cm > Page 6 f 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information