THE ART OF DECEPTION - Turing Machine + Malware = Magic

Slide 1

Slide 1 text

THE ART OF DECEPTION ADHOKSHAJ MISHRA Staff Detection Engineer - Linux Agent CWS DBT, SentinelOne Inc. December 21, 2024 BreachForce Mumbai Bharat मा र् ग शी र्ष क ृ ष् ण ष ष् ठी शक सं० १९४६ मुंबई, भारत Turing Machine + Malware = Magic

Slide 2

Slide 2 text

Who am I? What is Turing Machine? Turing Machine as “hacker tool” “Weaponising” Turing Machines Reversing a Turing Machine 1. 2. 3. 4. 5. Agenda

Slide 3

Slide 3 text

Who am I? • Detection fella by day, malware fella by night • Known for giving existential crisis • Guilty pleasure: setting things on fire • Life motto: let there be malware • Current gig: Staff Detection Engineer - Linux Agent, SentinelOne Inc. • Let us connect • LinkedIn: adhokshajmishra Who am I? 1

Slide 4

Slide 4 text

The technique(s) presented hereafter are offensive in nature; and are generally considered a criminal offence if practiced without proper authorisation in place. It is presented here for educational purpose only. In other words, if you come to me saying that you are neck-deep in mess due to these techniques, I won’t feel responsible at all. You have been warned. Disclaimer

Slide 5

Slide 5 text

2. WHAT IS TURING MACHINE?

Slide 6

Slide 6 text

• A mathematical model of computation. • Works by manipulating symbols on an infinitely long tape, according to given set of rules • Read • Compare • Jump to new location • Write / replace What is Turing machine? 2 Turing Machine

Slide 7

Slide 7 text

• Despite its simplicity, it is (almost) equivalent to a computer. • Only difference: Turing Machine has infinite memory. In other words, whatever is possible on a computer, is also possible on a Turing Machine. Whatever is impossible on a Turing Machine, is also impossible on a computer. What is Turing machine? 2 Turing Machine

Slide 8

Slide 8 text

What is Turing machine? 2

Slide 9

Slide 9 text

• Just like Turing Machine models a computer, lambda calculus models a programming language. • Very simple, just like Turing Machine • Does not have loops • Or booleans, or tuples • Or basic arithmetic operators (+, - etc.) What is Turing machine? 2 Lambda Calculus

Slide 10

Slide 10 text

Yet, any arbitrary program, which can be written in any programming language, can also be converted into equivalent Lambda expression. Something that cannot be converted into Lambda expressions, cannot be written as a program. What is Turing machine? 2 Lambda Calculus

Slide 11

Slide 11 text

What is Turing machine? 2

Slide 12

Slide 12 text

3. TURING MACHINE AS HACKER TOOL

Slide 13

Slide 13 text

• Turing machines allow us to analyse the “problems” in very abstract terms. • Program the solution for a Turing machine • Then build that Turing machine somewhere • And the program magically runs at that place Turing machine as hacker tool 3 Why even care about it?

Slide 14

Slide 14 text

What is Turing machine? 2

Slide 15

Slide 15 text

There are some “unexpected” benefits: • Not all Turing machines look and feel like Turing machines • Even when they do, many of them will not be obvious at all • Or even so counter-intuitive that nothing less than a formal proof can convince you! Turing machine as hacker tool 3 Why even care about it?

Slide 16

Slide 16 text

Code obfuscation • Instructions doing unintuitive things • Instruction is supposed to do X, but somehow Y also happens • Analyst and his tools focus on X • And Y remains a mystery Turing machine as hacker tool 3 Use cases

Slide 17

Slide 17 text

Control flow obfuscation • Unintuitive control flows • Control flow can look linear, while having various jumps and branches. • Malware analyst and his tools see a straight line • While the “real control flow” remains hidden in plain sight Turing machine as hacker tool 3 Use cases

Slide 18

Slide 18 text

4. WEAPONISING TURING MACHINES

Slide 19

Slide 19 text

It defines a system or computer's potential capacity to solve any complex computation problem if provided with enough memory and time. Turing complete = can solve any solvable problem given enough memory and time. Weaponising Turing Machines 4 Turing Completeness

Slide 20

Slide 20 text

We have mostly two options: • Build a Turing machine from the definition using the arrangement we want to test for Turing completeness • Can we build a Turing machine? • Yes: The arrangement is Turing complete. • No: The arrangement is not Turing complete. Weaponising Turing Machines 4 Finding Turing Completeness

Slide 21

Slide 21 text

We have mostly two options: • Mimic something else which is already Turing complete • Can we mimic some Turing complete stuff? • Yes: Turing complete. • No: Not Turing complete. Weaponising Turing Machines 4 Finding Turing Completeness

Slide 22

Slide 22 text

We already know some Turing complete systems: • BrainFuck is Turing complete • Convert your payload into BrainFuck program • Let analyst have fun reversing it. Weaponising Turing Machines 4 Turing complete systems

Slide 23

Slide 23 text

BrainFuck: >> +>>>>>,[>+ >> ,]>+[ -- [+ <<< -]<[ <+>- ]< [ < [->[ << < +>>>>+ < - ] << [ >> +> [- >]<<[ < ] <- ] >]>>> +<[[-]<[>+ <- ]<]>[[ >> > ]+ <<< -< [ << [ << < ] >>+ > [ >>> ] < - ] < < [ <<< ]>[ >> [ >> >]< +<< [ << < ] > - ]]+ << < ]+[- >>> ] > > ] >> [. >>> ] This program sorts given inputs using quick sort. Weaponising Turing Machines 4 Turing complete systems

Slide 24

Slide 24 text

BrainFuck is too easy for our taste. We need something more esoteric. • Combination of assignment, and conditional jump is Turing complete. Can we torture this into doing something useful for us? Weaponising Turing Machines 4 Turing complete systems

Slide 25

Slide 25 text

If you think hard about it, turns about a lot of things are accidentally Turing complete • Repeated string lookup and replace • A general Turing machine with extra steps. • Example: repeated invocation of pre-processor in C (or even C++) • Example: font ligatures processing (with specially crafted font files) First is too “easy” for our taste. Other two can stick like sore thumbs. Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 26

Slide 26 text

There are even better options: • MOV in x86 is Turing complete. • Published paper: https://drwho.virtadpt.net/files/mov.pdf • Proven by building a Turing machine from its definition. Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 27

Slide 27 text

Weaponising Turing Machines 4

Slide 28

Slide 28 text

This is not limited to Intel x86, or CISC architectures. Accidental Turing completeness is present in RISC architectures as well. • LDR + STR in aarch64 (64-bit ARM) is Turing complete. • Anything can be done by loading and storing. Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 29

Slide 29 text

To prove it, we will will rely on “assignment + conditional jump is Turing complete”. Assignment: suppose a value V is supposed to be assigned to a variable located at address A LDR X1, =A ; store value A in X1 LDR X2, =V ; store value V in X2 STR X2, [X1] ; store value from X2 at address stored in X1 Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 30

Slide 30 text

Comparison: We can trivially check if given two values A and B are equal or not. LDR X1, =A ; value1 to be compared. LDR X2, =B ; value2 to be compared. LDR X3, =0 ; result for false / not equal LDR X4, =1 ; result for true / equal … Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 31

Slide 31 text

Comparison: We can trivially check if given two values A and B are equal or not. … STR X3, [X1] ; store ‘false’ at address stored in X1 STR X4, [X2] ; store ‘true’ at address stored in X2 LDR X5, [X1] ; read result from address stored in X1 Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 32

Slide 32 text

Comparison: We can trivially check if given two values A and B are equal or not. If A == B: … STR X3, [X1] ; store ‘false’ at address stored in X1 STR X4, [X2] ; overwrites the result to ‘true’, as X2 = = X1 LDR X5, [X1] ; reads ‘true’ Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 33

Slide 33 text

Comparison: We can trivially check if given two values A and B are equal or not. If A != B: … STR X3, [X1] ; store ‘false’ at address stored in X1 STR X4, [X2] ; result not overwritten, as X2 != X1 LDR X5, [X1] ; reads ‘false’ Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 34

Slide 34 text

Conditional jump: based on result of comparison, we can pick one address to jump to. Let us assume: • if comparison result is 0, destination address is A. • If comparison result is 1, destination address is B. Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 35

Slide 35 text

We start by making a lookup table of addresses: LDR X1, =D ; D is the address where lookup table is to be stored. LDR X2, =A ; target address for ‘false’ LDR X3, =B ; target address for ‘true’ STR X2, [X1] ; first entry in lookup table at [X1] STR X3, [X1, #8] ; second entry in lookup table at [X1 + 8] Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 36

Slide 36 text

Once we have our lookup table ready, we can perform the lookup. Comparison result is stored in X5 ; X1 contains address ; X5 contains offset ; ‘LSL #3’ will scale the offset by 2^3 LDR X4, [X1, X5, LSL #3] Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 37

Slide 37 text

Once we have our lookup table ready, we can perform the lookup. Comparison result is stored in X5 ; if X5 = 0, X4 will contain [X1], which is target address A ; if X5 = 1, X4 will contain [X1 + 8], which is target address B LDR X4, [X1, X5, LSL #3] Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 38

Slide 38 text

Since we have implemented all components of "assignment and conditional jump", we claim that LDR + STR is Turing complete. In other words, we can implement a sufficiently large part of our payload in a chain of LDR and STR. Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 39

Slide 39 text

Other Turing complete arrangements: • XOR in Intel x86 is Turing complete. • ELF loading is Turing complete. • Needs specially crafted ELF. • Ligature handling in fonts is Turing complete. • Needs specially crafted fonts. • Single instruction set computers (also known as Turing tarpits) Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 40

Slide 40 text

Using such techniques at scale: • Modify a compiler to generate a chain of MOVs or LDRs / STRs instead of other instructions. • Or generate a suitable ELF / font file etc. • Use modified compiler to compile source code. • And enjoy the fireworks while analyst screams in horror. Weaponising Turing Machines 4 Weaponising Turing Machines

Slide 41

Slide 41 text

Weaponising Turing Machines 4 Generated code (Assembly)

Slide 42

Slide 42 text

Weaponising Turing Machines 4 Decompiled code (C / C++)

Slide 43

Slide 43 text

5. REVERSING TURING MACHINES

Slide 44

Slide 44 text

Reversing Turing Machines 5

Slide 45

Slide 45 text

To identify potential Turing machines: • You already need to know common “patterns” which lead to Turing completeness. • Such Turing machines will have a small number of distinct steps getting repeated very frequently. • When in doubt, analyse the pattern, and see if it can be proven to be Turing complete. Reversing Turing Machines 5 Identifying Turing Machines

Slide 46

Slide 46 text

To reverse potential Turing machines: • Identify patterns which are being used as basic building blocks. • Identify how these patterns are implementing higher level operations (loops, function calls etc.) • Analyse the actual payload by dissecting it into groups of patterns from previous step. Reversing Turing Machines 5 Reversing Turing Machines

Slide 47

Slide 47 text

ध न्य वाद THANK YOU