Platform Independent Programs

Transcript

1. PLATFORM INDEPENDENT PROGRAMS Joseph Hallett Wednesday, 13 June 12

2. Wednesday, 13 June 12

3. WHAT ARE THEY? • Programs that run on multiple architectures

   from one binary • Plus a bit of steganography • Exploit overlaps in instruction set binary formats • First work done by DJB Research team at Carnegie Mellon University Wednesday, 13 June 12

4. HOW DO YOU DO IT • For each architecture: •

   Compile list of semantic NOP instructions • Instructions which are semantically equivalent to a sequence of NOP instructions • Get list of jump instructions Wednesday, 13 June 12

5. HOW DO YOU DO IT? • Find sequences of the

   form semantic NOP then jump • Find their binary form • Find the ones which match between architectures • Focussed on safe sequences • No modification of state Wednesday, 13 June 12

6. WHY WOULD YOU WANT TO DO THIS? • Execution based

   steganography • Platform independent shell code • Obfuscation • Exfiltration protection • Kinda cool Wednesday, 13 June 12

7. PROBLEMS? • No public lists of semantic NOPs • Problems

   of scale • Space • Time • Problems with toolchains • Liveness analysis would help Wednesday, 13 June 12

8. WHAT DID I DO? • Found semantic NOPs for ARM,

   MIPS, X86 and XS1 • XS1 is novel • Recreated part of the existing PIP research • Created new PIP headers • Looked at steganographic effectiveness Wednesday, 13 June 12

9. NOVELTY? • Publicly available list of semantic NOPs • Started

   bringing PIPs to XS1 • Improved on existing results for the MIPS architecture • Looked at steganographic effectiveness Wednesday, 13 June 12

10. Wednesday, 13 June 12

11. PIP HEADERS Wednesday, 13 June 12

12. PIP HEADERS • Key to writing PIPs • Have the

    form do nothing then jump on multiple architectures • Use semantic NOPs to do nothing • More of them than NOP instructions Wednesday, 13 June 12

13. 90EB202A90EB203A24770104 • A PIP header for ARM, X86 and MIPS

    • The canonical example • Will use the Radare2 reverse engineering framework to show how this is a PIP Wednesday, 13 June 12

14. 90EB202A90EB203A24770104 • rasm2 -d -a x86 90eb202a90eb203a24770104 • nop •

    jmp 0x100000023 Wednesday, 13 June 12

15. 90EB202A90EB203A24770104 • rasm2 -d -a mips 90eb202a90eb203a24770104 • slti zero,s1,-5232

    • xori zero,s1,0xeb90 • b 0x10001dc9c Wednesday, 13 June 12

16. 90EB202A90EB203A24770104 • rasm2 -d -a arm 90eb202a90eb203a24770104 • bcs 0x10083ae48

    • bcc 0x10083ae4c Wednesday, 13 June 12

17. 8 BYTE ARM LE, MIPS BE, X86 • 7a..7b086a...... •

    7a..7b096a...... • 7a..7b0a6a...... • 7a..7b0b6a...... • 81a08008ea...... • 81a08008e3a0f... • 81a08008e28ff... • 81a08008e24ff... Wednesday, 13 June 12

18. WHAT ARE THE DOTS? • Dots indicate that we do

    not care about what value that nibble contains • If we do not use don’t care symbols complexities get horrific • KB becomes MB becomes GB • Hours become days Wednesday, 13 June 12

19. • xori rt,rs,immediate 㱺 rt ← rs ⨁ immediate •

    If we make rt register zero this is always a semantic NOP • If we enumerated each we’d have 2,097,152 semantic NOPs • Or we use don’t cares and this becomes 16 • 2 bits in second nibble • 3 bits in third nibble Wednesday, 13 June 12

20. 7A..7B0886A... • rasm2 -d -a x86 $(sed 's/\./0/g' <<< 7a..7b086a......)

    jp 0x100000002 jnp 0x10000000c push 0x0 add [eax], al • rasm2 -d -a mips $(sed 's/\./0/g' <<< 7a..7b086a......) j 0x101ec01e8 0x6a • rasm2 -d -a arm -e $(sed 's/\./0/g' <<< 7a..7b086a......) bvc 0x10001ec28 bvs 0x10000000c Wednesday, 13 June 12

21. SEMANTIC NOPS • Instructions that don’t do anything • Used

    in: • Obfuscation (dead code addition) • Polymorphic malware (and anti-malware) • Assemblers (GAS) • No publicly available database • Now there is one on Github Wednesday, 13 June 12

22. Wednesday, 13 June 12

23. DETECTION • PIPs can be used for steganography • No

    previous research into how easy PIPs are to detect • Looked at how often they turn up in non-PIP code for X86, and ARM Wednesday, 13 June 12

24. PIPS ARE EASY TO DETECT • PIP headers turn up

    very rarely in the wild • No more than random code • If a program were constructed from repeated gadgets it would stick out • Detector counts PIP headers • If significant number suspect program is PIP Wednesday, 13 June 12

25. PIPS ARE EASY TO DETECT... MAYBE • In this project

    I always used safe PIPs • No modification of state • But if you were to allow modifying state you would get more PIPs • Should be harder to write a detector • Requires static analysis Wednesday, 13 June 12

26. OTHER APPROACHES • Self-modifying code • Encryption • Microcode updates

    • Alter how CPU expands CISC instructions into RISC microcode Wednesday, 13 June 12

27. Wednesday, 13 June 12

28. CONCLUSION • Found PIPs for ARM, MIPS, X86 and XS1

    • Created database of semantic NOPs • Looked at steganographic properties • PIPs should be detectable • Suggested work arounds Wednesday, 13 June 12