Automating Mimicry Attacks Using Static Binary Analysis

Description

Intrusion detection systems that monitor sequences of system calls have recently become more sophisticated in defining legitimate application behavior. In particular, additional information, such as the value of the program counter and the configuration of the program's call stack at each system call, has been used to achieve better characterization of program behavior. While there is common agreement that this additional information complicates the task for the attacker, it is less clear to which extent an intruder is constrained.

To address this point we propose a technique that, given a legitimate sequence of system calls, allows the attacker to execute each system call in the correct execution context by obtaining and relinquishing the control of the application's execution flow through manipulation of code pointers. The problem of evasion, then, is reduced to a traditional mimicry attack.

Our technique uses symbolic execution of a program binary in order to automatically identify instructions that can be used by an attacker to regain control (e.g., indirect jump to an injected code block) and the necessary modifications to the program environment (e.g., register or memory contents) that are necessary to successfully make use of these instructions.

Definitions

Mimicry attack: The execution of a certain sequence of instructions, or tasks, which are deemed valid by a particular model of allowed program execution, yet still perform some malicious function.

Results

In order to evaluate the effectiveness of our technique we applied it to several sample programs protected by modern anomaly-based intrusion detection systems that make use of the extra context information mentioned previously. The result is that program configurations and exploit code were successfully generated automatically for these programs and the intrusion detection systems were evaded.

A second set of experiments were performed on a set of real-world programs in order to evaluate the practical effectiveness of this technique. We analyzed a web server, an FTP server, and an IMAP server.

In these experiments, 100 starting addresses were chosen at random from the code sections of the application's binary. Symbolic execution of the program was then performed at each of these addresses to see if a suitable machine instruction and program configuration that would allow an attacker to regain control, could be determined. We found that in the majority of the cases it was possible to find a configuration that would allow a multi-step mimicry attack.

For further discussion of these results, please see the paper Automating Mimicry Attacks Using Static Binary Analysis.

Publications

C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, "Automating Mimicry Attacks Using Static Binary Analysis," in In the Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, August 2005.[PDF, BibTeX]

People

C. Kruegel, Assistant Professor, TU Vienna, Austria.
E. Kirda, Assistant Professor, TU Vienna, Austria.
D. Mutz, Professional Expert.
W. Robertson, Graduate Student.
G. Vigna, Associate Professor, UCSB.

Acknowledgments

This research was supported by the National Science Foundation under grants CCR-0209065 and CCR- 0238492.