Dailydave mailing list archives

Re: Graphing: Don't believe everything you see.

From: "Dave Aitel" <dave.aitel () gmail com>
Date: Fri, 9 Feb 2007 16:17:23 -0500

In the famous Buffy episode "Hush", Joss Whedon demonstrates through a
creative plot device - removing the voices from the entire town -  that
often talking is the opposite of communication. But I don't have time to
draw pretty pictures, so here goes.

Imagining a simple host intrusion protection device that makes a graph of
system call chains of a process as it runs normally, and then in the future
restricts the process to those system call chains. These chains start with a
CreateThread() and can end at any point, but typically with an ExitThread().

Given this simple system, we can defeat it with a "hooker shellcode" which
hooks the functions our shellcode wants to call. For example, "accept()"
,"recv()", "CreateFile", "Write()" and so on. Because system call arguments
are not looked at, we replace the original arguments with the arguments we
would prefer, and then let the process continue. Each system call may happen
in a completely different thread, but it will happen exactly as the HIPS
thinks it should, just with different arguments.

Essentially the problem is that the HIPS models on a per-thread basis, and
there is no per-thread memory isolation. Of course to do the hooks
themselves you'll want to call VirtualProtect, but we can do something more
invasive to take over every thread's exception handler and play our little
raindeer games. We can, after all, write into every thread's stack.

And of course, it may be that statistically, CreateThread() branches quite
predictably. So if we can call CreateThread, we might be able to do anything
we want after that point.
CreateThread(DoAcceptData()); CreateThread(DoWriteDataToFile())
CreateThread(DoExecFile()) and so on.

Today I played a lot more with Vista. It turns out it DOES have the
10-half-open TCP connection limit. And there's no way to shut that off. I
take back what I said about it being better than XP SP2.

-dave



On 2/8/07, Alexander Sotirov <asotirov () determina com> wrote:


Dave Aitel wrote:
> For the record, or at least, as a reminder to the record, anything
> based solely on system call ordering is going to have a bugger of a
> time dealing with CreateThread().

What is the problem with CreateThread? You just need to look at the
syscall
ordering per thread, not per process, and everything will be fine.

Alex
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Graphing: Don't believe everything you see., (continued)
- Re: Graphing: Don't believe everything you see. Felix von Leitner (Feb 06)
  - Re: Graphing: Don't believe everything you see. dan (Feb 07)
    - Re: Graphing: Don't believe everything you see. Adam Shostack (Feb 07)
    - Message not available
    - Re: Graphing: Don't believe everything you see. Adam Shostack (Feb 08)
    - Re: Graphing: Don't believe everything you see. Douglas F. Calvert (Feb 09)
- Re: Graphing: Don't believe everything you see. George Ou (Feb 07)
  - Re: Graphing: Don't believe everything you see. Robert E. Lee (Feb 07)
    - Re: Graphing: Don't believe everything you see. jf (Feb 07)
  - Re: Graphing: Don't believe everything you see. LMH (Feb 07)
- Re: Graphing: Don't believe everything you see. Alexander Sotirov (Feb 08)
  - Re: Graphing: Don't believe everything you see. Dave Aitel (Feb 09)
    - Re: Graphing: Don't believe everything you see. Ed Ray (Feb 12)