THE ART OF DECEPTION - Turing Machine + Malware = Magic

Transcript

1. THE ART OF DECEPTION ADHOKSHAJ MISHRA Staff Detection Engineer -

   Linux Agent CWS DBT, SentinelOne Inc. December 21, 2024 BreachForce Mumbai Bharat मा र् ग शी र्ष क ृ ष् ण ष ष् ठी शक सं० १९४६ मुंबई, भारत Turing Machine + Malware = Magic

2. Who am I? What is Turing Machine? Turing Machine as

   “hacker tool” “Weaponising” Turing Machines Reversing a Turing Machine 1. 2. 3. 4. 5. Agenda

3. Who am I? • Detection fella by day, malware fella

   by night • Known for giving existential crisis • Guilty pleasure: setting things on fire • Life motto: let there be malware • Current gig: Staff Detection Engineer - Linux Agent, SentinelOne Inc. • Let us connect • LinkedIn: adhokshajmishra Who am I? 1

4. The technique(s) presented hereafter are offensive in nature; and are

   generally considered a criminal offence if practiced without proper authorisation in place. It is presented here for educational purpose only. In other words, if you come to me saying that you are neck-deep in mess due to these techniques, I won’t feel responsible at all. You have been warned. Disclaimer

5. 2. WHAT IS TURING MACHINE?

6. • A mathematical model of computation. • Works by manipulating

   symbols on an infinitely long tape, according to given set of rules • Read • Compare • Jump to new location • Write / replace What is Turing machine? 2 Turing Machine

7. • Despite its simplicity, it is (almost) equivalent to a

   computer. • Only difference: Turing Machine has infinite memory. In other words, whatever is possible on a computer, is also possible on a Turing Machine. Whatever is impossible on a Turing Machine, is also impossible on a computer. What is Turing machine? 2 Turing Machine

8. What is Turing machine? 2

9. • Just like Turing Machine models a computer, lambda calculus

   models a programming language. • Very simple, just like Turing Machine • Does not have loops • Or booleans, or tuples • Or basic arithmetic operators (+, - etc.) What is Turing machine? 2 Lambda Calculus

10. Yet, any arbitrary program, which can be written in any

    programming language, can also be converted into equivalent Lambda expression. Something that cannot be converted into Lambda expressions, cannot be written as a program. What is Turing machine? 2 Lambda Calculus

11. What is Turing machine? 2

12. 3. TURING MACHINE AS HACKER TOOL

13. • Turing machines allow us to analyse the “problems” in

    very abstract terms. • Program the solution for a Turing machine • Then build that Turing machine somewhere • And the program magically runs at that place Turing machine as hacker tool 3 Why even care about it?

14. What is Turing machine? 2

15. There are some “unexpected” benefits: • Not all Turing machines

    look and feel like Turing machines • Even when they do, many of them will not be obvious at all • Or even so counter-intuitive that nothing less than a formal proof can convince you! Turing machine as hacker tool 3 Why even care about it?

16. Code obfuscation • Instructions doing unintuitive things • Instruction is

    supposed to do X, but somehow Y also happens • Analyst and his tools focus on X • And Y remains a mystery Turing machine as hacker tool 3 Use cases

17. Control flow obfuscation • Unintuitive control flows • Control flow

    can look linear, while having various jumps and branches. • Malware analyst and his tools see a straight line • While the “real control flow” remains hidden in plain sight Turing machine as hacker tool 3 Use cases

18. 4. WEAPONISING TURING MACHINES

19. It defines a system or computer's potential capacity to solve

    any complex computation problem if provided with enough memory and time. Turing complete = <thing> can solve any solvable problem given enough memory and time. Weaponising Turing Machines 4 Turing Completeness

20. We have mostly two options: • Build a Turing machine

    from the definition using the arrangement we want to test for Turing completeness • Can we build a Turing machine? • Yes: The arrangement is Turing complete. • No: The arrangement is not Turing complete. Weaponising Turing Machines 4 Finding Turing Completeness

21. We have mostly two options: • Mimic something else which

    is already Turing complete • Can we mimic some Turing complete stuff? • Yes: Turing complete. • No: Not Turing complete. Weaponising Turing Machines 4 Finding Turing Completeness

22. We already know some Turing complete systems: • BrainFuck is

    Turing complete • Convert your payload into BrainFuck program • Let analyst have fun reversing it. Weaponising Turing Machines 4 Turing complete systems

23. BrainFuck: >> +>>>>>,[>+ >> ,]>+[ -- [+ <<< -]<[ <+>-

    ]< [ < [->[ << < +>>>>+ < - ] << [ >> +> [- >]<<[ < ] <- ] >]>>> +<[[-]<[>+ <- ]<]>[[ >> > ]+ <<< -< [ << [ << < ] >>+ > [ >>> ] < - ] < < [ <<< ]>[ >> [ >> >]< +<< [ << < ] > - ]]+ << < ]+[- >>> ] > > ] >> [. >>> ] This program sorts given inputs using quick sort. Weaponising Turing Machines 4 Turing complete systems

24. BrainFuck is too easy for our taste. We need something

    more esoteric. • Combination of assignment, and conditional jump is Turing complete. Can we torture this into doing something useful for us? Weaponising Turing Machines 4 Turing complete systems

25. If you think hard about it, turns about a lot

    of things are accidentally Turing complete • Repeated string lookup and replace • A general Turing machine with extra steps. • Example: repeated invocation of pre-processor in C (or even C++) • Example: font ligatures processing (with specially crafted font files) First is too “easy” for our taste. Other two can stick like sore thumbs. Weaponising Turing Machines 4 Weaponising Turing Machines

26. There are even better options: • MOV in x86 is

    Turing complete. • Published paper: https://drwho.virtadpt.net/files/mov.pdf • Proven by building a Turing machine from its definition. Weaponising Turing Machines 4 Weaponising Turing Machines

27. Weaponising Turing Machines 4

28. This is not limited to Intel x86, or CISC architectures.

    Accidental Turing completeness is present in RISC architectures as well. • LDR + STR in aarch64 (64-bit ARM) is Turing complete. • Anything can be done by loading and storing. Weaponising Turing Machines 4 Weaponising Turing Machines

29. To prove it, we will will rely on “assignment +

    conditional jump is Turing complete”. Assignment: suppose a value V is supposed to be assigned to a variable located at address A LDR X1, =A ; store value A in X1 LDR X2, =V ; store value V in X2 STR X2, [X1] ; store value from X2 at address stored in X1 Weaponising Turing Machines 4 Weaponising Turing Machines

30. Comparison: We can trivially check if given two values A

    and B are equal or not. LDR X1, =A ; value1 to be compared. LDR X2, =B ; value2 to be compared. LDR X3, =0 ; result for false / not equal LDR X4, =1 ; result for true / equal … Weaponising Turing Machines 4 Weaponising Turing Machines

31. Comparison: We can trivially check if given two values A

    and B are equal or not. … STR X3, [X1] ; store ‘false’ at address stored in X1 STR X4, [X2] ; store ‘true’ at address stored in X2 LDR X5, [X1] ; read result from address stored in X1 Weaponising Turing Machines 4 Weaponising Turing Machines

32. Comparison: We can trivially check if given two values A

    and B are equal or not. If A == B: … STR X3, [X1] ; store ‘false’ at address stored in X1 STR X4, [X2] ; overwrites the result to ‘true’, as X2 = = X1 LDR X5, [X1] ; reads ‘true’ Weaponising Turing Machines 4 Weaponising Turing Machines

33. Comparison: We can trivially check if given two values A

    and B are equal or not. If A != B: … STR X3, [X1] ; store ‘false’ at address stored in X1 STR X4, [X2] ; result not overwritten, as X2 != X1 LDR X5, [X1] ; reads ‘false’ Weaponising Turing Machines 4 Weaponising Turing Machines

34. Conditional jump: based on result of comparison, we can pick

    one address to jump to. Let us assume: • if comparison result is 0, destination address is A. • If comparison result is 1, destination address is B. Weaponising Turing Machines 4 Weaponising Turing Machines

35. We start by making a lookup table of addresses: LDR

    X1, =D ; D is the address where lookup table is to be stored. LDR X2, =A ; target address for ‘false’ LDR X3, =B ; target address for ‘true’ STR X2, [X1] ; first entry in lookup table at [X1] STR X3, [X1, #8] ; second entry in lookup table at [X1 + 8] Weaponising Turing Machines 4 Weaponising Turing Machines

36. Once we have our lookup table ready, we can perform

    the lookup. Comparison result is stored in X5 ; X1 contains address ; X5 contains offset ; ‘LSL #3’ will scale the offset by 2^3 LDR X4, [X1, X5, LSL #3] Weaponising Turing Machines 4 Weaponising Turing Machines

37. Once we have our lookup table ready, we can perform

    the lookup. Comparison result is stored in X5 ; if X5 = 0, X4 will contain [X1], which is target address A ; if X5 = 1, X4 will contain [X1 + 8], which is target address B LDR X4, [X1, X5, LSL #3] Weaponising Turing Machines 4 Weaponising Turing Machines

38. Since we have implemented all components of "assignment and conditional

    jump", we claim that LDR + STR is Turing complete. In other words, we can implement a sufficiently large part of our payload in a chain of LDR and STR. Weaponising Turing Machines 4 Weaponising Turing Machines

39. Other Turing complete arrangements: • XOR in Intel x86 is

    Turing complete. • ELF loading is Turing complete. • Needs specially crafted ELF. • Ligature handling in fonts is Turing complete. • Needs specially crafted fonts. • Single instruction set computers (also known as Turing tarpits) Weaponising Turing Machines 4 Weaponising Turing Machines

40. Using such techniques at scale: • Modify a compiler to

    generate a chain of MOVs or LDRs / STRs instead of other instructions. • Or generate a suitable ELF / font file etc. • Use modified compiler to compile source code. • And enjoy the fireworks while analyst screams in horror. Weaponising Turing Machines 4 Weaponising Turing Machines

41. Weaponising Turing Machines 4 Generated code (Assembly)

42. Weaponising Turing Machines 4 Decompiled code (C / C++)

43. 5. REVERSING TURING MACHINES

44. Reversing Turing Machines 5

45. To identify potential Turing machines: • You already need to

    know common “patterns” which lead to Turing completeness. • Such Turing machines will have a small number of distinct steps getting repeated very frequently. • When in doubt, analyse the pattern, and see if it can be proven to be Turing complete. Reversing Turing Machines 5 Identifying Turing Machines

46. To reverse potential Turing machines: • Identify patterns which are

    being used as basic building blocks. • Identify how these patterns are implementing higher level operations (loops, function calls etc.) • Analyse the actual payload by dissecting it into groups of patterns from previous step. Reversing Turing Machines 5 Reversing Turing Machines

47. ध न्य वाद THANK YOU