No More Hooks: Trustworthy Detection of Code Integrity Attacks Xeno Kovah, Corey Kallenberg, Chris Weathers, Amy Herzog, Matthew Albin, John Butterworth MITRE © 2012 The MITRE Corporation. All rights reserved. Malicious Software Dear everyone: This system is Infected! Security Software MITRE © 2012 The MITRE Corporation. All rights reserved. Malicious Software I don't like you. You are annoying. Security Software MITRE © 2012 The MITRE Corporation. All rights reserved. Malicious Software I don't like you. You are annoying. Security Software *scribble* *scribble* *scribble* MITRE © 2012 The MITRE Corporation. All rights reserved. Malicious Software Dear everyone: This system is A-OK! Security Software MITRE © 2012 The MITRE Corporation. All rights reserved. Malicious Software That's what I'm talkin' 'bout (Bruce) Willis! Security Software MITRE © 2012 The MITRE Corporation. All rights reserved. Malicious Software Security Software *scan* *scan* *scan* Checkmate Security Software is compromised! MITRE 7 © 2012 The MITRE Corporation. All rights reserved. f Malicious Software You are similarly annoying! Checkmate *scribble* *scribble* *scribble* MITRE 8 © 2012 The MITRE Corporation. All rights reserved. Malicious Software Security Software Checkmate Don't believe me! I'm compromised! ity Software sOK. MITRE 9 © 2012 The MITRE Corporation. All rights reserved. Malicious Software Are you kidding me? F*&@ A self- checking tricorder... This is ridiculous! *scribb *scribb *scribb MITRE Checkmate 1 © 2012 The MITRE Corporation. All rights reserved. Malicious Software Security Software Checkmate l...am...O...K... ity Software sOK. MITRE 11 © 2012 The MITRE Corporation. All rights reserved. Timing-Based Attestation (aka Software-Based Attestation) Based on concept of Pioneer by Seshadri et al. Assumptions - You can know the client hardware profile - Your self-check is the most optimized implementation Implemented from scratch, independently confirmed previous results. Source code is released so we can work with other researches to validate/improve it. http://code.google.eom/p/timing-attestation MITRE 12 © 2012 The MITRE Corporation. All rights reserved. Nitty Gritty How Does it Work? • The self-check is hand coded asm to try to build a timing side-channel into its execution • The system measurements are things like you would fine in any memory integrity checking software like MS's PatchGuard, Mandiant's MIR, or HBGary's Active Defense. • We're going to focus on the self-check, because that's what we have that others don't MITRE 13 © 2012 The MITRE Corporation. All rights reserved. First principles 1 • "I want to know that my code isn't changed while it's running" • Malware does this by self-checksumming or even self-timing with an rdtsc instruction. This commonly detects hardware and software breakpoints. • Problem: An attacker (from malware's perspective the analyst, from our perspective, malware) can just force the check to always succeed. MITRE 14 © 2012 The MITRE Corporation. All rights reserved. Original code int main(){ foo = Selfcheck(); jf(foo == 0xl2341234){ DoSomething(); return SUCCESS; } else{ return FAILURE; } } MITRE Attacker rewrites code int main(){ foo = So l fchockQ; foo = 0x12341234; jf(foo == 0xl2341234){ DoSomethingO; return SUCCESS; } else{ return FAILURE; } } MITRE © 2012 The MITRE Corporation. All rights reserved. First principles 2 • At this point basically everyone gives up, and just goes with code obfuscation. • We go with - 1) making the self-check a function of a nonce - 2) controlling the execution environment to yield highly predictable runtime - 3) just let the code run, and evaluate whether it was tampered with back at a remote server, based on the self-checksum AND the runtime MITRE 17 © 2012 The MITRE Corporation. All rights reserved. New outline for code int main(){ int selfchecksum[6]; nonce = WaitForMeasurementRequestFromVerifierQ; Selfcheck(&selfchecksum, nonce); SendResultsToVerifier(selfchecksum,nonce); results = DoSomething(); SendResultsToVerifier(results); return SUCCESS; MITRE © 2012 The MITRE Corporation. All rights reserved. Thoughts on the nonce • No single correct value that the attacker can send-back to indicate the code is intact • Large nonce and/or self-checksum size reduces probability of encountering precomputation attacks - Attacker needs to store 2 A 32*192 bits (96GB) in RAM for a 32 bit precomputation or 2 A 64*384 bits (768 Zetabytes) for our 64 bit implementation MITRE 19 © 2012 The MITRE Corporation. All rights reserved. What should we actually read to indicate the code is unmodified? A pointer which points at our own code - We will call this DP for data pointer - This indicates the memory range where our code is executing from. Original Pioneer assumed it was in a fixed location that we could know, but on Widows, no such luck (ASLR & faux ASLR) Our own code bytes - We will call this *DP (C syntax) or [DP] (asm syntax) to indicate we're dereferencing the data pointer Our instruction pointer (EIP) - This also indicates the memory range where our code is executing from. Should generally agree with DP. MITRE 20 © 2012 The MITRE Corporation. All rights reserved. Selfcheck() .01 void Selfcheck(int * selfchecksum, int nonce){ int * DP = GetMyCodeStart(); int * end = GetMyCodeEndQ; while(DP esi mul eax or eax, 5 add esL eax \or ccs. esi add ecx h edi \or ccx> [edi] mov eax> esi I \or edx< edx div metnRange add edx> codeStart mov edi, edx mov cax, dr7 add ecx, eax | xor ecx, [esp] add esp< 4 Lest esi, esi mov cax, [ebp-i-4" mov edSn [ebpj mov cax, [edx+4j \or cm, esi add ecx, eax Public releasi MIXJtilP ELPjiRC ([esp]) + EI1 ] _DST fees) ecx is then used as an accumulator Etcset stack after fclF SHC push UJ > DAitJ ] RN_\0\RO Create a copy of x before squaring cax = x*x cax = (x*x OR 5) PRN = x + {x*x OR 5) Mix PRN with the accumulator ecx READ_AN D_U l*DAl"L_Di J _ VARO Mix DP with accumulator ecx Mix *DF with accumulator ecx Move FRN to eax Clear edx edx — PRN modulo memKange edx=codeStart-KPRN mod memRange) Update DP to new value READ_LJEt_iiDVm_VARQ Copy the DR7 register Mix DR7 with accumulator ecx Mix HFLAGS with accumulator ecx Reset stack after HFLAGS push READ_RAND_RET U RN_ADDRESS AND l*R.N with self and set flags Move PARENT RET to eax Hardcoded bytes for ifrPF) jump 6 l*t is parity flag .set by test esi;, esi The jump would land at the next xor If not jumped over, move the GRANDPARENTJihT to eax Xor saved net with PRN Mix xored saved ret with accumulator ed self-check CUE CKSU M_U PDA'J E mov eax, ebx Copy loop counter to eax and eax, 3 Use bottom 2 bits of loop counter to specify which checksum memory entry to directly update. xor [csp-hcax*4j H ecx Xor ehccksum[eax-i-l J, accumulator (+1 because checksum [OJ is below esp) bt Lesp+OxlOj, 1 Set carry flag based on LSB of checksum 15 J rcr [esp-OxOSj^ 1 Rotate right with carry chccksimi[Oj rcr [esp]< I Rotate right with carry checksum", I J rcr [esp-i-0xQ4] h 1 Rotate right with carry chccksum[2] rcr [esp+ftxO&] K 1 Rotate right with carry chccksum[3] rcr [esp+QxQCj, 1 Rotate right with carry chec ksuira[4] rcr [esp-i-0xl0j h 1 Rotate right with carry chccksum[5] INTERBLOCK TRANSFER sub ebx, I Decrement loop counter test ebx> ebx Check if loop counter is jz sctRange If 0, jump to minicheefcsum switch lea edx< address Table Otherwise^ prepare to jump to next block. Load address of table holding start address ot each block mov eax> esi Copy PRN to eax and eax, 7 Use bottom i bits to decide which block to call to next mov ecx, [edx+eax*4] Move E1I*_DS 1 to ecx call ecx Call to next bLock Implicitly push EJ1 ] _SRC 31 © 2012 The MITRE Corporation. All rights reserved. Figure From Pioneer Memory /////77 f t f r f r V. rune y DP PC (a) No attack, PC and DP arc within the correct range. Attacker gets free DP or EIP forgery thanks to ASLR. We had the least overhead with this attack Mai. tunc V. Func ^ /////7> PC DP (c) Memory copy at- tack 2. PC incorrect, DP correct , MITRE opy Attacks ////// / ] V. func / / / / / / / / < Mai, func xxxxx DP PC (b) Memory copy at- tack 1. PC correct, but DP incorrect. By definition, more overhead than (b) or (c). Not a good idea. {d) Memory copy at- tack 3. PC and DP in- correct. 32 © 2012 The MITRE Corporation. All rights reserved. How it works without attacker Verifier I N T R A Original copy of self-checking kernel module MeasurementRequest Nonce = 0xf005ball 1 Call Send(Selfchecksum) Send(BaseVA=OxlOCO) 4 call Send(Measurement) Svstem BaseVA = 0x1000 3 ret MITRE © 2012 The MITRE Corporation. All rights reserved. Our current fastest PoC attack (built into the public released code for easy toggling) I N T R A N E T Original copy of self-checking kernel module M easurementRequest Nonce = 0xf005ball BaseVA = 0x1000 Clean copy of complete kernel module 5 call Send(Selfchecksum) Send(BaseVA=0x2000 6 Send(Measurement) VILVFUNC system ies that system is clean) DP/ /(free forgery) FORGED VFUNC EIP RANGE BaseVA = 0x2000 EVILVFUNC forges EIP to be at the right offset In the lied-about DP range MITRE © 2012 The MITRE Corporation. All rights reserved. Other tricks • Not discussed in depth due to lack of time, see our full paper, the related work, and the source code • "The stack trick" - if you store part of your self-checksum *below* esp, then you can guarantee that if someone causes an interrupt during your execution, part of the self-checksum will be destroyed • Put PRN into DR7 and read it to prevent cost-free use of hardware breakpoints • Read parent and grandparent return addresses off the stack, otherwise when the self-check is done it will return to attacker code (important for TOCTOU as described in a little bit) • Additional control flow integrity comes from doing a mini- checksum over 3 rd party modules which we depend on, or that we indirectly depend on. So if we depend on ntoskrnl.exe and it depends on hal.dll, then we measure parts of both. MITRE 35 © 2012 The MITRE Corporation. All rights reserved. Some stuff that's been suggested that we tried but ultimately backed away from Polymorphic self-check code - Because due to the cache misses and branch mispredictions, this increases the absolute runtime of the code. Also, the attacker can implement a non-polymorphic forgery which is way faster thanks to no cache misses (we implemented such an attack) Exploiting the memory hierarchy by filling instruction and data cache to capacity - Because unless you have sufficient unique order of inclusion into self-checksum block variants to fill the cache, the attacker can avoid cache spillage by just making his attack have a lx copy of each of your unique blocks, and then keeping track of the order that the blocks would execute in (we implemented such an attack) MITRE 36 © 2012 The MITRE Corporation. All rights reserved. So what are the new results? Countered some previous attacks (Castelluccia et al.) and some new ones we came up with - Implementation lessons learned and design decisions will be documented in a future journal paper. Demonstrated that the system can work without being NIC-specific (Pioneer was built into an open source NIC driver.) Showed that it can work over 10 network links of a production enterprise LAN (Pioneer said it worked over "same ethernet segment") Benchmarked the attestation to see the effects on network throughput, filesystem read/write performance, and CPU benchmarking applications Made the first implementation for TPM-based timing-based attestation (Schellekens et al. proposed it but didn't implement anything.) Defined the relation of TOCTOU to existing and new attacks so defenses can be better researched. MITRE 37 © 2012 The MITRE Corporation. All rights reserved. Network Topology Server Links to client or server are copper. All other links are fiber. Switch Switch Client 1 link Client 2 links Client 3 links Switchl^ffl Switch^ Switch Client 10 links Client 8 links Switch Switch Router (building 2) Router Router (buildingl) (Core) MITRE 38 Icons from http://nag.ru/goodies/manuals/Cisco-icons.ppt ©mut^m™ capon** .an ^ reserved. Can we detect the reference attacker over the maximum hop count on our Virginia campus? H 6 116000 - 115000 - 114000 - 113000 - 112000 Absent Attack 9 1 1 1000 1 1 0000 1 09000 V > 3 X Attack Present 9 y o Attack Absent X V o 100 200 300 400 MITRE Measurement number 39 © 2012 The MITRE Corporation. All rights reserved. Can we detect the reference attacker over the maximum hop count on our Virginia campus? H 6 116000 - 115000 - 114000 - 113000 - 112000 Absent v > 3 © > x Attack 1 1 1000 © Attack Present Upper bound of expected timing Attack Absent 110000 - 1 09000 Lower bound of expected timing ^^^^^^^^^ - X V o 100 200 300 400 MITRE Measurement number 40 © 2012 The MITRE Corporation. All rights reserved. Can we detect the reference attacker over the maximum hop count on our Virginia campus! H 6 116000 - 115000 - 114000 - 113000 - 112000 Absent Attack 1 1 1000 nooooc- 1 09000 MITRE V > 3 © > X o Attack Present What are those? Attack Absent X 100 200 300 400 Measurement number 41 © 2012 The MITRE Corporation. All rights reserved. Can we detect the reference attacker over the maximum hop count on our Virginia campus? H 6 116000 - 115000 - 114000 - 113000 - 112000 Absent Attack s 1 1 1000 1 1 0000 1 09000 o Attack Present What are those? _ Attack Absent X V o 100 200 300 400 MITRE Measurement number 42 © 2012 The MITRE Corporation. All rights reserved. Can we use a single bound for measurement times anywhere on our network? C/5 H H a (1) 113500 113000 "host2 llink 112500 112000 111500 111000 110500 'hostl_21inks' host2_21inks 'hostl_31inks' 'host2_31inks' 'hostl_81inks' 'host2 81inks' "hostl_101inks' "host2 lOlinks' -X A V Attack Absent Attack Present 110000 50 100 Measurement number 150 MITRE 200 43 © 2012 The MITRE Corporation. All rights reserved. Can we use a single bound for measurement times anywhere on our network? C/5 H H a (1) 113500 113000 "host2 llink 112500 112000 111500 111000 110500 'hostl_21inks' host2_21inks 'hostl_31inks' 'host2_31inks' 'hostl_81inks' 'host2 81inks' "hostl_101inks' "host2 lOlinks' -X A V Attack Absent Attack Present 110000 Upper Bound Lower Bound 50 100 Measurement number 150 200 MITRE 44 © 2012 The MITRE Corporation. All rights reserved. Server Trusted Platform Module (TPM) Timing Implementation TPM Tickstamp Nonce = 0xf005b Client TPM all Signed Tickstamp 1 & 2 Se lf-Checksum Nonce = 0xf005ball Request Tickstamp(0xf005ball) Signed Tickstampl_ Self-Check (nonce = signature) .Request TickstamnK P lf.r h ^, n , m) Signed Tickstarnp At MITRE 45 © 2012 The MITRE Corporation. All rights reserved. TPM Implementation - Single Hos 800 798 796 794 792 u 790 788 786 784 782 780 51 101 151 201 251 301 351 MITRE Measurement number 46 © 2012 The MITRE Corporation. All rights reserved. TPM Implementation - Single Hos 800 798 796 794 792 790 788 786 784 Why did the median go down by 1 after the attack? 782 780 51 101 151 201 251 301 351 MITRE Measurement number 47 © 2012 The MITRE Corporation. All rights reserved. TPM Implementation - 32 Hosts 880 860 840 820 800 V — LWMJAAJ — .AA. AA AA V-VAA A A ^AA A.JV- 780 51 101 151 201 251 301 351 MITRE Measurement number 48 © 2012 The MITRE Corporation. All rights reserved. TOCTOU Attacker moves out of the way, just in time MITRE © 2012 The MITRE Corporation. All rights reserved Conditions for TOCTOU • 1) The attacker must know when the measurement is about to start. • 2) The attacker must have some un-measured location to hide in for the duration of the measurement. • 3) The attacker must be able to reinstall as soon as possible after the measurement has finished. MITRE 50 © 2012 The MITRE Corporation. All rights reserved. Malicious Software Security Software Checkmate l...am...O...K... ity Software sOK. MITRE 51 © 2012 The MITRE Corporation. All rights reserved. lalicious Software Oh, you're about to do a self-check? Let me just... Checkmate *erase* *erase* *erase* *erase* *erase* *erase* MITRE © 2012 The MITRE Corporation. All rights reserved. Malicious Software Security Software Checkmate I'm OK Security Software is OK. MITRE 53 © 2012 The MITRE Corporation. All rights reserved. Malicious Software Done? Good. Let me just... Checkmate *scribble* *scribble* *scribble* *scribble* *scribble* *scribble* MITRE 54 © 2012 The MITRE Corporation. All rights reserved. What regal clothes you have, Emperor Most software's TOCTOU defense is just assuming it away. - Violate our assumption that the attacker can get to the same level as the security software, and then for instance pull the measurement agent out to a VMM for instance. Then maybe the attacker can't see a measurement is about to start. If the attacker can get to the VMM, same problem. - In the phone/embedded systems realm (FatSkunk/SWATT) they have tried to measure the full contents of RAM to implicitly counter TOCTOU condition 2. But that's not really practical for PCs due to the amount of time necessary, and the "measure all" is of dubious utility. (How do you validate that a chunk of heap containing code of function pointers is the "correct" value?) Control flow integrity violation serves as an enabler for TOCTOU attacks MITRE 55 © 2012 The MITRE Corporation. All rights reserved. Questions? {xkovah,ckallenberg} at mitre.org http://code.google.eom/p/timing-attestation P.s. http://OpenSecurityTraining.info - x86 assembly/architecture & rootkits classes (Xeno) - Exploits classes (Corey) - TPM class (Ariel) - VT-x class (David) - Intro RE/Malware Static Analysis classes (Matt & Frank) - And many others MITRE 56 © 2012 The MITRE Corporation. All rights reserved. Backup slides MITRE 57 © 2012 The MITRE Corporation. All rights reserved. Where else has this been used? Embedded systems (A. Seshadri, A. Perrig, L. van Doom, and P. Khosla. SWATT: Software- & wireless sensors based attestation for embedded devices) t (M. Shaneck, K. Mahadevan, V. Kher, and Y. Kim. Remote software-based attestation for wireless sensors, Y. Choi, J. Kang, and D. Nyang. Proactive code verification protocol in wireless sensor network.) SCADA (A. Shah, A. Perrig, and B. Sinopoli. Mechanisms to provide integrity in SCADA and PCS devices) Keyboards to counter BlackHat talk i (Y. Li, J. M. McCune, and A. Perrig. SBAP: Software-Based Attestation for Peripherals.) Android Phones (M. Jakobsson and K.-A. Johansson. Practical and secure software-based attestation.) MITRE 58 © 2012 The MITRE Corporation. All rights reserved. Future Work (Stop trying to hit me, and hit me!) • Use analysis-timing-constrained control flow, e.g TEAS by Garay & Huelsbergen, to combat TOCTOU condition 1 • Use multiple processors in parallel to combat TOCTOU condition 3 Self-check 1 Processor 1 ' Processor 2 « Self - check 2 Self-check n Processor n • Time • Investigate timing-based attestation lower level in the system (e.g. BIOS & SMM) MITRE 59 © 2012 The MITRE Corporation. All rights reserved. Who we would like to hear from • All of you - How can we build better attacks against our PoC implementation? How can we combat TOCTOU in a more generic way? • Intel/AMD - How can we further optimize our assembly? • Microsoft - Is there anything we should be doing with our NDIS driver to optimize it? Could you using timing-based attestation to detect PatchGuard being disabled? MITRE 60 © 2012 The MITRE Corporation. All rights reserved. Proxy Attacks Server Measurement Type: FOO, Nonce = 0xf005ball Compromised Client Faster Client Self-Checksum, Nonce = 0xf005ball Measurement Type: FOO, Nonce = 0xf005ball Self-Checksum, Nonce = OxfOOSball^ Self-Check (Nonce = 0xf005ball) MITRE 61 © 2012 The MITRE Corporation. All rights reserved. TPM Timing Implementation Proxy Attack Server Slow Client TPM Fast Client MITRE 62 © 2012 The MITRE Corporation. All rights reserved.