SOURCE-FREE BINARY MUTATION FOR OFFENSE AND DEFENSE by Vishwath R. Mohan APPROVED BY SUPERVISORY COMMITTEE: Kevin W. Hamlen, Chair Alvaro C´ardenas Latifur Khan Zhiqiang Lin Copyright c  2014 Vishwath R. Mohan All rights reserved Dedicated to my parents, who encouraged without question. To my wife, for lifting me far beyond where I could have flown myself. To my grandfather, more technology-aware than most PhDs I know. SOURCE-FREE BINARY MUTATION FOR OFFENSE AND DEFENSE by VISHWATH R. MOHAN, BS, MS DISSERTATION Presented to the Faculty of The University of Texas at Dallas in Partial Fulfillment of the Requirements for the Degree of DOCTOR OF PHILOSOPHY IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT DALLAS December 2014 ACKNOWLEDGMENTS This dissertation could not have been completed without the help of the author’s advisor, Dr. Kevin Hamlen, who served as inspiration, role model and walking database of both ideas and knowledge. Richard Wartell, the author’s research partner and collaborator on some of the research presented in the dissertation, deserves a huge shout out. This dissertation owes a lot to not just his invaluable research assistance, but also his continued friendship and support. Because no one should have to delve the depths of x86 machine code alone. The author wishes to thank Dr. Zhiqiang Lin, Dr. Latifur Khan, and Dr. Mehedy Masud, whose contributions and ideas, both defensive and offensive, greatly helped this dissertation achieve its goals. Special thanks should also be given to Dr. Per Larsen, who provided the seed of the idea that eventually became Opaque CFI. He also proved to be a motivating collaborator and good friend, for which the author is grateful. Finally, the author wishes to thank his wife, Sanjana Raghunath, for her patience and constant support. The research reported in this dissertation was supported in part by the Air Force Office of Scientific Research (AFOSR) under Young Investigator Program (YIP) award FA9550-08-1- 0044 and Active Defense award FA9550-10-1-0088, the National Science Foundation (NSF) under CAREER award #1054629, the Office of Naval Research (ONR) under award N00014- 14-1-0030, and an NSF Industry-University Collaborative Research Center (IUCRC) award v from Raytheon Company. All opinions, recommendations, and conclusions expressed are those of the authors and not necessarily of the AFOSR, NSF, ONR, or Raytheon. November 2014 vi PREFACE This dissertation was produced in accordance with guidelines which permit the inclusion as part of the dissertation the text of an original paper or papers submitted for publication. The dissertation must still conform to all other requirements explained in the “Guide for the Preparation of Master’s Theses and Doctoral Dissertations at The University of Texas at Dallas.” It must include a comprehensive abstract, a full introduction and literature review, and a final overall conclusion. Additional material (procedural and design data as well as descriptions of equipment) must be provided in sufficient detail to allow a clear and precise judgment to be made of the importance and originality of the research reported. It is acceptable for this dissertation to include as chapters authentic copies of papers already published, provided these meet type size, margin, and legibility requirements. In such cases, connecting texts which provide logical bridges between different manuscripts are mandatory. Where the student is not the sole author of a manuscript, the student is required to make an explicit statement in the introductory material to that manuscript describing the student’s contribution to the work and acknowledging the contribution of the other author(s). The signatures of the Supervising Committee which precede all other material in the dissertation attest to the accuracy of this statement. vii SOURCE-FREE BINARY MUTATION FOR OFFENSE AND DEFENSE Publication No. Vishwath R. Mohan, PhD The University of Texas at Dallas, 2014 Supervising Professor: Kevin W. Hamlen The advent of advanced weaponized software over the past few years, including the Stuxnet, Duqu, and Flame viruses, is indicative of the seriousness with which advanced persistent threats (APTs) have begun to treat the cyber-realm as a potential theatre for offensive military action and espionage. This has coincided with a strong interest in creating malware obfuscations that hide their payloads for extended periods of time, even while under active search. Progress on this front threatens to render conventional software defenses obsolete, placing the world in dire need of more resilient software security solutions. This dissertation underlines the seriousness of this threat through the design and imple- mentation of two novel, next-generation malware obfuscation technologies that bypass to- day’s widely deployed defenses. Unlike conventional polymorphic malware, which mutates randomly in an effort to evade detection, the presented attacks are reactively adaptive in the sense that they intelligently surveil, analyze, and adapt their obfuscation strategies in the wild to understand and defeat rival defenses. The dissertation then presents three novel software defenses that offer strengthened software security against both current and future offensive threats. Rather than attempting to detect threats statically (i.e., before viii they execute), or introducing dynamic monitors that raise compatibility and performance penalties for consumers, the new defenses implement automated, source-free, binary soft- ware transformations that preemptively transform untrusted software into safe software. Experiments show that this security retrofitting approach offers higher performance, greater security, and more flexible deployment options relative to competing approaches. Thus, binary code transformation and mutation is realized as both a powerful offensive and a potent defensive paradigm for software attacks and defenses. ix TABLE OF CONTENTS ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi CHAPTER 1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 CHAPTER 2 BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1 Malware Detection and Obfuscation . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Code-Reuse Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3 Binary Rewriting and In-lined Reference Monitors . . . . . . . . . . . . . . . 10 2.4 Challenges with Source-Free Disassembly . . . . . . . . . . . . . . . . . . . . 12 PART I MALWARE OFFENSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 CHAPTER 3 EXPLOITING AN ANTIVIRUS INTERFACE . . . . . . . . . . . . . 16 3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2 A data mining based malware detection model . . . . . . . . . . . . . . . . . 19 3.2.1 Feature extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.2.2 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.2.3 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.3 Model-reversing Obfuscations . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.3.1 Path Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.3.2 Feature Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3.3 Feature Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.4.1 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.4.2 Interface Exploit Experiment . . . . . . . . . . . . . . . . . . . . . . 33 x [...]... O-CFI code layout transformation Clustering occurs once, before the program executes (2nd column) Basic block and cluster randomization (3rd column), and portal insertion (4th column) occurs at load-time 124 7.2 Chaining gadgets in O-CFI 7.3 O-CFI architecture A vulnerable COTS x86 binary is analyzed and instrumented statically to create the corresponding O-CFI binary At load-time, a... techniques to the vast swath of commercial off-the-shelf (COTS) and legacy binaries in use today, which do not have source or debug information available, or for which consumers will not accept a significant performance degradation purely for the sake of improved security There is thus a need for a source-free technique that can efficiently monitor and constrain an arbitrary application’s behavior Code-reuse... detection defenses In response, it proposes new source-free binary code transformation defensive techniques that are better suited to securing applications against next-generation offensive threats For both tasks, the dissertation leverages the power of automated source-free binary rewriting to propose offensive and defensive solutions that are both efficient and widely deployable The dissertation begins... creation of the first compiler-agnostic and source-free x86 binary rewriter that is robust to disassembly errors and compatible with advanced compiler techniques like interleaved code and data, or position independent code We use the rewriter to create three security systems for x86 binaries: (1) Reins (Chapter 5) provides Software Fault Isolation (SFI) and arbitrary policy enforcement at the system API level... the syntactic—rather than semantic—analysis of binary code That is, it attempts to classify a binary as malicious by comparing its contents and structure for similarities to known malware For this reason, static syntactic-based techniques are commonly referred to as static signature-based defenses The cat -and- mouse relationship between malware detection and obfuscation can be seen by looking at currently... Malware Binary Obfuscation Function Testing Obfuscated Binary propagate Figure 3.1 Binary Obfuscation Architecture describes experiments and evaluation of our technique Section 3.5 concludes with discussion and suggestions for future work 3.1 Overview The architecture of our binary obfuscation methodology is illustrated in Figure 3.1 We begin by submitting a diverse collection of malicious and benign... purely for monetary profit, is now being recognized for its potential as an effective reconnaissance and covert monitoring tool (Flame), or as a safer, cheaper way to preemptively strike at targets of strategic military value (Stuxnet) In such a scenario, any competitive solution to cyber-security must include options for both offensive and defensive action, and approaches that focus purely on defense. .. effective against some modern static defenses, their reliance on random, undirected mutation makes them brittle against defenders who actively adapt their protections to target specific emerging threats and threat-families In most cases, focused defender reverse-engineering efforts uncover mutation patterns or invariants that suffice for defenders to reliably detect and quarantine most or all variants of... dynamic detection techniques that monitor the execution of a binary and classify it at run-time Dynamic detection techniques have access to the behavior exhibited by a binary, and are able to utilize that information to make fairly accurate classifications However, they also suffer from higher overheads (Kim and Karp, 2004; Singh et al., 2004; Kreibich and Crowcroft, 2004; Li et al., 2006; Newsome et al., 2005)... adaptive obfuscation strategies that learn and adapt to changing defenses rapidly and autonomously Such adaptation renders signature-based defenses moot, since as soon as defenders discover and deploy a new signature in response to the threat, reactively adaptive malware learns the new signature and adapts its obfuscation pattern to evade it Thus, reactively adaptive mutation innovations will imbue weaponized . question. To my wife, for lifting me far beyond where I could have flown myself. To my grandfather, more technology-aware than most PhDs I know. SOURCE-FREE BINARY MUTATION FOR OFFENSE AND DEFENSE by VISHWATH. SOURCE-FREE BINARY MUTATION FOR OFFENSE AND DEFENSE by Vishwath R. Mohan APPROVED BY SUPERVISORY COMMITTEE: Kevin W. Hamlen,. material in the dissertation attest to the accuracy of this statement. vii SOURCE-FREE BINARY MUTATION FOR OFFENSE AND DEFENSE Publication No. Vishwath R. Mohan, PhD The University of Texas at