Windows HIPS & LDF

59
Roberto Battistoni ([email protected] ) Information Security Lessons 2012/2013 (prof. Luigi V. Mancini) – 12/12/2012

description

 

Transcript of Windows HIPS & LDF

Page 1: Windows HIPS & LDF

Roberto Battistoni!([email protected])

Information Security Lessons 2012/2013 (prof. Luigi V. Mancini) – 12/12/2012

Page 2: Windows HIPS & LDF

v  Introduction to Windows internals!

v  Two open source projects:

o  WHIPS: Windows Host Intrusion Prevention System

o  FoXP: Computer Forensic eXPerience

2!

Page 3: Windows HIPS & LDF

Windows Seven is the evolution of Windows NT 4.0. The first OS based on the

NT technology was Windows NT 3.5 in 1993. NT was created from a Digital

Research project. Its name originally was “VMS NT” then it was changed in

“Windows NT”.

3!

Page 4: Windows HIPS & LDF

4!

Page 5: Windows HIPS & LDF

5!

Page 6: Windows HIPS & LDF

6!

Page 7: Windows HIPS & LDF

7!

Local Security Authority subsystem (Lsass): A user-mode process running the image “Lsass.exe” that is responsible for the local system security policy (such as which users are allowed to log on to the machine, password policies, privileges granted to users and groups, and the system security auditing settings), user authentication, and sending security audit messages to the Event Log. !!Security reference monitor (SRM): A component in the Windows executive (Ntoskrnl.exe) that is responsible for defining the access token data structure to represent a security context, performing security access checks on objects, manipulating privileges (user rights), and generating any resulting security audit messages.!

Page 8: Windows HIPS & LDF

When a process tries to open an object, the integrity check takes place before the standard Windows DACL check in the kernel’s SeAccessCheck function because it is faster to execute and can quickly eliminate the need to perform the full discretionary access check. Given the default integrity policies, a process can only open an object for write access if its integrity level is equal to or higher than the object’s integrity level and the DACL also grants the process the accesses it desires. !

Two methods are used for determining access to an object:!!• The mandatory integrity check, which determines whether the integrity level of the caller is high enough to access the resource, based on the resource’s own integrity level and its mandatory policy (Biba?).!• The discretionary access check, which (the owner) determines the access that a specific user account has to an object.!

Page 9: Windows HIPS & LDF

1 1 1 1 1 1!5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0!+-------------------------------------------------------------+!| SubAuthorityCount |Reserved1 (SBZ)| Revision |!+-------------------------------------------------------------+!| IdentifierAuthority[0] | !+-------------------------------------------------------------+!| IdentifierAuthority[1] | !+-------------------------------------------------------------+!| IdentifierAuthority[2] | !+-------------------------------------------------------------+!| |!+- - - - - - - - SubAuthority[] - - - - - - - - - + !| |!+-------------------------------------------------------------+

SIDs identify the entities whose execute operations in the system and represent every user, group, machine or domain.!

Possible identifier authority values are:!

• 0 - Null Authority!

• 1 - World Authority!

• 2 - Local Authority!

• 3 - Creator Authority!

• 4 - Non-unique Authority!

• 5 - NT Authority!

• 9 - Resource Manager Authority!

C:\>psgetsid Z24!!PsGetSid v1.43 - Translates SIDs to names and vice versa!Copyright (C) 1999-2006 Mark Russinovich!Sysinternals - www.sysinternals.com!!SID for WAM2\Z24:!S-1-5-21-1993962763-2139871995-725345543-1003!

9!

Page 10: Windows HIPS & LDF

§  The protection context of a process or a thread is made from information which describe its privileges, account or groups and it is represented by the Access Token!

§ A privilege in Windows is the right to operate on the whole system without distinction through the objects in it.!

§ The Security Reference Monitor (SRM) uses the Access Tokens to allow or deny the access to the system objects in relation to the protection context of the process or thread;!

§ All the programs (processes) opened by the user inherit a copy of the initial token made at the user’s log-on and at the creation of the user’ shell (explorer.exe);!

10!

Page 11: Windows HIPS & LDF

§  There are two kind of Access Token: Primary Token and Impersonation Token!

•  The impersonation allow to migrate the security context of a process or a thread. A process inherit the primary token or it receives a new impersonation token;!

•  In Windows (>=VISTA) if a user belong to Administrators the process assigned to the user has two distinct Access Tokens: one with user rights and the other one with Administrator rights. The mechanism that allows to choose the needed Access Token is called UAC (User Account Control)!

11!

Page 12: Windows HIPS & LDF

Discretionary Access Control List (DACL): An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.!

A system access control list (SACL) enables administrators to log attempts to access a secured object.!

A security descriptor contains the security information associated with a securable object. A security descriptor consists of a SECURITY_DESCRIPTOR structure and its associated security information. A security descriptor can include the following security information:!

• Security identifiers (SIDs) for the owner and primary group of an object.!

• A DACL that specifies the access rights allowed or denied to particular users or groups.!

• A SACL that specifies the types of access attempts that generate audit records for the object.!

• A set of control bits that qualify the meaning of a security descriptor or its individual members.!

12!

Page 13: Windows HIPS & LDF

13!

Page 14: Windows HIPS & LDF

14!

Page 15: Windows HIPS & LDF

•  A privileged process is a process to which has been assigned some “Windows privileges”.!

•  A privileged process with dangerous privileges is a dangerous process.!•  Windows Services, that are very similar to Unix daemons, are dangerous

process.!•  Almost all the Windows 2000 Services did the authentication with very high

privileged account: LocalSystem. LocalSystem belongs to the Administrators group.!

•  Starting from Windows XP a lot of Windows Services use two new less privileged account to authenticate themselves: LocalService e NetworkService.!

•  A Service vulnerability allows a malicious user to gain the rights of LocalSystem, LocalService or NetworkService. A lot of attacks are made onto Services that are listening to TCP ports: Privilege Escalation.!

•  System calls are critical when they can be used by a malware or an hacker. They are dangerous if used in attacks and called by a dangerous process like a Service.!

15!

Page 16: Windows HIPS & LDF

•  S-1-5-18: Local System!•  S-1-5-19: Local Service!•  S-1-5-20: Network Service!•  S-1-5-80: Per Service SID!

!If exists a Group SID equals to ServiceSID !!“S-1-5-6”.!

16!

Page 17: Windows HIPS & LDF

17!

Page 18: Windows HIPS & LDF

ntdll!ZwReadFile: 77f8c552 mov eax,0xa1 77f8c557 lea edx,[esp+0x4] 77f8c55b int 2e 77f8c55d ret 0x24

!•  Native APIs are exported by the Windows Kernel with two different

name prefix: Zw* and Nt*. The formers always call the dispatcher “KiSystemService()” the latter not. !

•  Not all the native APIs are exported by the NTOSKRNL.LIB (into the Windows DDK). In some case you have to use the API’s physical address into the kernel.!

•  To invoke a native API we needed to raise an interrupt: 0x2E. Now (from XP) it is no more used and the code calls directly a CPU function called SYSENTER.!

“Newer versions of Windows no longer use INT 2E or go through the IDT to request the services in the system call table. Instead, they use the fast call method. !!In this case, NTDLL loads the EAX register with the system call number of the requested service and the EDX register with the current stack pointer, ESP. NTDLL then issues the Intel instruction SYSENTER.”!

ntdll!ZwReadFile: 77f4302f mov eax,0xbf 77f43034 mov edx,0x7ffe0300 77f43039 call edx 77f4303b ret 0x24

SharedUserData!SystemCallStub: 7ffe0300 mov edx,esp 7ffe0302 sysenter 7ffe0304 ret

18!

Page 19: Windows HIPS & LDF

19!

Page 20: Windows HIPS & LDF

20!

Page 21: Windows HIPS & LDF

21!

Page 22: Windows HIPS & LDF

22!

Page 23: Windows HIPS & LDF

23!

Page 24: Windows HIPS & LDF

24!

Page 25: Windows HIPS & LDF

OK!!

LAN, Intranet, Internet, local

attack.!

Here is the Windows Service to attack!!!!!

WHIPS!!

Malicious Native API!!

Good Native API!!

25!

Page 26: Windows HIPS & LDF

26!

Page 27: Windows HIPS & LDF

27!

WHIPS changes the native original pointers in SSDT with pointers to new native API that are called “WHIPS wrappers” and where their names start with “NewNt....”.!

Page 28: Windows HIPS & LDF

•  Pointer initialization •  Service control message

•  Syscall Index Set data structures •  SST Protection (from Windows XP)

•  Memory mapping (MDL) •  Control Register 0 (write protection)

disabling •  SST update with Interlocked operation

(multiprocessor safe)

#define  HOOK_SYSCALL(_Function,  _Hook,  _Orig  )  _Orig  =   (PVOID)  InterlockedExchange((PLONG)  &MappedSystemCallTable[SYSCALL_INDEX(_Function)],  (LONG)  _Hook)

28!

Page 29: Windows HIPS & LDF

•  How many parameters does a syscall have? •  HookPacket structure •  ReferenceMonitor call

29!

Page 30: Windows HIPS & LDF

•  Retrieving the calling User Mode Process within the Syscall

•  Execut ive   Process   B lock  structure

•  Query  process  information •  Retrieving   process   executable  image  path

30!

Page 31: Windows HIPS & LDF

31!

Page 32: Windows HIPS & LDF

•  To increase: •  Stability •  Reliability (still not so high) •  Performance

•  Security issues •  Secure boot •  Non-paged memory amount •  Authentication between components •  Integrity and availability of used files •  Secure channel communication

32!

Page 33: Windows HIPS & LDF

33!

Page 34: Windows HIPS & LDF

34!

Page 35: Windows HIPS & LDF

v Completeness:   system   has   to   collect   enough   information   to   intercept   the   user’s  activity

v Integrity:  nobody  can  modify  the  log  without  being  properly  authorized

v Authenticity:  logs  have  to  be  authenticated

v Non   bypassable:   nobody   can   escape   the   log   activity   or   stop   the   logging  without  authorization

v Transparency:  logging  has  to  be  invisible  to  the  user

v Reproducibility:  knowing  for  every  activity  “who”  and  “what”

v Efficiency:  minimizing  the  log  dimension  and  the  node  overhead.

35!

Page 36: Windows HIPS & LDF

•  Continuity:   shu_ing   down   a   system   could   represent   a   big  problem  in  environments  that  cannot  be  stopped;

•  Real  Time  analysis:  LDF  intercepts  activities  while   the  system  is   running   and   no   one   knows   about   it;   It   can   allow   the   CF  expert  and   the  admin   to  analyze   (in  RT)  what  happens  and  to  prevent  malicious  activities;

•  Proactivity: In   the   classic  Computer   Forensic   the   approach   is   only  “Reactive”  whereas  in  the  LDF  it  is  “Proactive”.

LDF   (Live  Digital   Forensic)   has   three   key   aspects   related   to   the  “Live”  part:

36!

Page 37: Windows HIPS & LDF

37!

Page 38: Windows HIPS & LDF

u  Usage   of   System   Call   interposition   for   Computer   Forensic  purposes

u  Real   Time   System   Call   interception   leads   to   Live   Digital  Forensic  (LDF)

u  Distributed  collection  of  intercepted  system  calls

u  The  prototype  (FOXP)  is  released  as  an  open  source  project

38!

Page 39: Windows HIPS & LDF

Scenario: •  N   controlled   nodes,   every   node   sends   its  

logs  to  the  central  server •  A   server   node   receives   node   logs   and  

organizes  them  into  a  R-­‐‑DBMS •  R-­‐‑DBMS  for  data  collection:  is  a  support  for  

a  be_er  forensic  analysis

FOXP:   an   open   source   Computer   Forensic   system   for   Windows   network  

where  every  node  has  a  Windows  NT  family  OS.

39!

Page 40: Windows HIPS & LDF

Client  Side:  logger  component  collects  and   sends   data   to   the   central   server  (Windows  NT  family  OS)

Secure   Communication:   to   provide  a u t h e n t i c i t y ,   i n t e g r i t y   a n d  confidentiality  

Server   Side:   is   a   server   application  that   collects   data   sent   from   various  clients;   this   data   is   available   for  forensic  analysis

40!

Page 41: Windows HIPS & LDF

Logging syscall

Mgmt Console

Node j

Command

Audit Server

To Analyze States & Logs

States & Logs

41!

Page 42: Windows HIPS & LDF

FOXP   Mgmt   Service   (FOXP-­‐‑MS):   it  manages   the  Agent   and   the   Logger   on  e v e r y   n o d e   a s   w e l l   a s   t h e i r  communications   with   the   centralized  server  of  the  architecture: •  It   receives   commands   from   the  Mgmt   Console   for   the   Agent   rules  update;

•  It  forwards  commands  directly  to  the  Logger;

•  It  sends  node  live  state  to  the  Audit  Server;

•  It   receives   messages   from   the  Agent  and  send  commands  to  the  Logger;

•  It   sends   to   the   Collector   Server   the  data  collected    from  the  Logger.

Nod

e Li

ve s

tate

Agen

t rul

es u

pdat

e

Dat

a co

llect

ed

•  FOXP  Agent  (FOXP-­‐‑A):   It   is   like  an  IDS  that  executes  basic  analysis  of  node  activities  (all   the  agents  realize  a  Distributed  IDS).  If  an  anomaly  is  detected,  than  the  logging  is  activated;

•  FOXP  Logger  (FOXP-­‐‑L):   it   intercepts  the  system  calls  invoked  on  the  node  and  keeps  track  of  them  in  a  logging  file;

42!

Page 43: Windows HIPS & LDF

•  FOXP  Collector  Server  (FOXP-­‐‑CS):  it  receives  and  stores  logs  from  every  network  node;

•  FOXP   Audit   Server   (FOXP-­‐‑AS):   it   receives  and   stores   the   state   of   the   nodes.   It   receives  commands  from  the  FOXP-­‐‑MC  and  forwards  them   to   the   FOXP-­‐‑MS   of   the   destination  nodes;

•  FOXP  Management   Console   (FOXP-­‐‑MC):   it  r emo t e l y   manage s   n e two rk   node s  communicating  with   the   FOXP-­‐‑MS   on   every  node.   It   monitors   the   state   of   the   nodes,  configures   and   updates   the   Agent   rules,  manages  the  FOXP-­‐‑Logger;

•  FOXP   Forensic   Analysis   Tools   (FOXP-­‐‑FAT):  it   executes   the   analysis   of   the   collected   logs  and  states.

43!

Page 44: Windows HIPS & LDF

�  It is the WHIPS core function �  Interception technique extended to all the 284 system calls of Windows XP and VISTA

and Seven (we hope...) �  It uses the system call index instead of its explicit name

44!

Page 45: Windows HIPS & LDF

Ø Assessing the efficiency and efficacy of the FOXP system with more experimentations;

Ø Classifying the system calls according to their level of dangerousness;

Ø Communication security with authenticity and non-repudiability of

collected logs, is currently under investigation and will be presented in a different paper.

45!

Page 46: Windows HIPS & LDF

See  you  next  week…maybe!

Page 47: Windows HIPS & LDF

47!

Page 48: Windows HIPS & LDF

•  This security model is directed toward data integrity (rather than confidentiality) and is characterized by the phrase: "no read down, no write up". This is in contrast to the Bell-LaPadula model which is characterized by the phrase "no write down, no read up".

•  In the Biba model, users can only create content at or below their own integrity level (a monk may write a prayer book that can be read by commoners, but not one to be read by a high priest). Conversely, users can only view content at or above their own integrity level.

•  The Biba model defines a set of security rules similar to the Bell-LaPadula model. These rules are the reverse of the Bell-LaPadula rules: o  The Simple Integrity Axiom states that a subject at a given level of integrity must not read an object at

a lower integrity level (no read down). o  The * (star) Integrity Axiom states that a subject at a given level of integrity must not write to any

object at a higher level of integrity (no write up).

Page 49: Windows HIPS & LDF

49!

Page 50: Windows HIPS & LDF

• CPU Cycle Counting: In Windows Vista, the scheduler uses the cycle counter register of modern processors to track precisely how many CPU cycles a thread executes.!

• Multimedia Class Scheduler Service: Windows Vista introduces MMCSS to manage the CPU priorities of multimedia threads. A multimedia app like Windows Media® Player 11 registers with MMCSS using new APIs that indicate its multimedia characteristics. MMCSS has a priority-management thread that runs at priority 27. This thread boosts the priority of registered multimedia threads.!

• File-Based Symbolic Links: The Windows Vista I/O-related changes include file-based symbolic links, more efficient I/O completion processing, comprehensive support for I/O cancellation, and prioritized I/O.!

• I/O Completion and Cancellation: There are a number of under-the-hood changes to the I/O system that can improve the performance of server applications. These applications commonly use a synchronization object called a completion port to wait for the completion of asynchronous I/O requests. On Windows Vista, the I/O completion processing is performed not necessarily by the thread that issued the I/O, but instead by the one that is waiting for the completion port to wake it up.!

• I/O Priority: While Windows has always supported prioritization of CPU usage, it hasn't included the concept of I/O priority. Windows Vista introduces two new types of I/O prioritization in order to help make foreground I/O operations get preference: priority on individual I/O operations and I/O bandwidth reservations.!

50!

Page 51: Windows HIPS & LDF

• SuperFetch: Windows XP introduced prefetching support that improved boot and application startup performance by performing large disk I/Os to preload memory with code and file system data that it expected, based on previous boots and application launches. Windows Vista goes a big step further with SuperFetch, a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management.!

• ReadyBoost: While RAM is ideal for caching disk data, it is relatively expensive. Flash memory, however, is generally cheaper and can service random reads up to 10 times faster than a typical hard disk. Windows Vista, therefore, includes a feature called ReadyBoost to take advantage of flash memory storage devices by creating an intermediate caching layer on them that logically sits between memory and disks.!

• ReadyBoot: After every boot, the ReadyBoost service (the same service that implements the ReadyBoost feature just described) uses idle CPU time to calculate a boot-time caching plan for the next boot. It analyzes file trace information from the five previous boots and identifies which files were accessed and where they are located on disk.!

• Dynamic Kernel Address Space: In 32-bit Windows Vista, the Memory Manager dynamically manages the kernel's address space, allocating and deallocating space to various uses as the demands of the workload require. Thus, the amount of virtual memory used to store paged buffers can grow when device drivers ask for more, and it can shrink when the drivers release it.!

• Memory Priorities: Just as Windows Vista adds I/O priorities, it also implements memory priorities. On Windows Vista, every page of memory has a priority in the range of 0 to 7, and so the Memory Manager divides the Standby List into eight lists that each store pages of a particular priority. When the Memory Manager wants to take a page from the Standby List, it takes pages from low-priority lists first.!

51!

Page 52: Windows HIPS & LDF

• Boot Configuration Database: Startup has improved with the introduction of the Boot Configuration Database (BCD) for storing system and OS startup configuration, a new flow and organization of system startup processes, new logon architecture, and support for delayed-autostart services. Windows Vista shutdown changes include pre-shutdown notification for Windows services, Windows services shutdown ordering, and a significant change to the way the OS manages power state transitions.!

• Startup Processes: Several system processes were re-architected for Windows Vista. Session Manager (Smss.exe) is the first user-mode process created during the boot as in previous versions of Windows, but on Windows Vista the Session Manager launches a second instance of itself to configure Session 0, which is dedicated solely to system processes. The Session Manager process for Session 0 launches the Windows Startup Application (Wininit.exe), a Windows subsystem process (Csrss.exe) for Session 0, and then it exits. The Windows Startup Application continues by starting the Service Control Manager, the Local Security Authority Subsystem, and a new process, Local Session Manager (Lsm.exe), which manages terminal server connections for the machine.!

• Credential Providers: Instead of a GINA, Windows Vista uses the new Credential Provider architecture.!

• Delayed-Autostart Services: Windows Vista introduces a new service start type called delayed automatic start, which services can use if they don't have to be active immediately after Windows boots.!

• Shutdown: Some services, like those that have network-related shutdown operations or have to save large amounts of data to disk, might require more time and so Windows Vista allows a service to request pre-shutdown notification.!

• Power Management: In Windows Vista, the kernel's Power Manager still informs drivers and applications of power-state changes so that they can prepare for them, but it no longer asks for permission.!

52!

Page 53: Windows HIPS & LDF

• Kernel Transaction Manager: When an application wants to make a number of related changes, it can either create a Distributed Transaction Coordinator (DTC) transaction and a KTM transaction handle, or create a KTM handle directly and associate the modifications of the files and registry keys with the transaction.!

• Enhanced Crash Support: Windows Vista reduces the window of time where no dump file is generated by initializing dump file support after all the boot-start device drivers are initialized but before loading system-start drivers.!

• Volume Shadow Copy: Windows XP introduced a technology called Volume Shadow Copy to make point-in-time snapshots of disk volumes. Windows Vista also takes advantage of volume snapshots to unify user and system data protection mechanisms and avoid saving redundant backup data.!

• BitLocker: Windows Vista introduces a full-volume encryption feature called Windows BitLocker Drive Encryption. Unlike EFS, which is implemented by the NTFS file system driver and operates at the file level, BitLocker encrypts at the volume level using the Full Volume Encryption (FVE) driver!

• Code Integrity Verification: The Windows Vista code integrity for kernel-mode code feature, also known as kernel-mode code signing (KMCS), only allows device drivers to load if they are published and digitally signed by developers who have been vetted by one of a handful of certificate authorities (CAs). KMCS is enforced by default on Windows Vista for 64-bit systems.!

• Protected Processes: Protected processes restrict access to a limited set of informational and process management interfaces that include querying the process's image name and terminating or suspending the process.!

• Address Space Load Randomization: The Windows Vista Address Space Load Randomization (ASLR) feature makes it impossible for malware to know where APIs are located by loading system DLLs and executables at a different location every time the system boots.!

53!

Page 54: Windows HIPS & LDF

•  WHIPS Driver

•  Developed in ANSI C with the Windows Driver Development Kit (DDK);

•  Boot-time loading.

•  WHIPS Service

•  Developed in C# on the Microsoft .NET 2.0;

•  Proxy between Driver and GUI.

•  WHIPS Agent and minimal GUI Application

•  Developed in C# on the Microsoft .NET 2.0;

•  Notifications from the driver;

•  Configuration of the driver policy.

54!

Page 55: Windows HIPS & LDF

55!

Page 56: Windows HIPS & LDF

•  Installation •  InstallUtil.exe  

•  Windows  Registry  entry

•  Automatic  starting

•  LocalSystem  account

•  It  extends  ServiceBase  Class

•  Developed  in  C#

Using System.ServiceProcess;!Public class WHIPSService : ServiceBase {!

!public WHIPSService() {!! !this.ServiceName = “WhipsService”;!! !this.CanStop = true;!!}!!public static void main() {!! !ServiceBase.Run(new

WHIPSService());!!}!

} !56!

Page 57: Windows HIPS & LDF

•  Like  a  reference  monitor

•  Game  management

•  App2Drv/Drv2App  IRPs

•  Overlapped  (Asynchronous  IO)

•  Named  Pipe  Manager

•  Communication  events

57!

Page 58: Windows HIPS & LDF

#define HOOK(APIName, NewAPIPtr, OldAPIPtr) OldAPIPtr=ExchangePointers(&SSDT[Index(APIName)],NewAPIPtr) … HOOK( ZwOpenFile , NewZwOpenFile , OldZwOpenFile );

NewZwOpenFile(OUT PHANDLE phFile,…,IN ULONG OpenMode) !{ !

doLog(“ZwOpenFile”, phFile,…, OpenMode);! OldZwOpenFile(phFile,…,OpenMode );!

}

Macro to exchange pointers in SSDT:

Example of a new native API: NewZwOpenFile:

58!

Page 59: Windows HIPS & LDF

Internet Explorer Remote Code Execution Exploit v 0.1

<input type="checkbox" id='a'>!<script>!-- malicious code --!var r = document.getElementById('a').createTextRange();!</script>!

NtOpenFile !!(!OUT PHANDLE phFile:34c|IN ACCESS_MASK DesiredAccess:1000a1|!IN POBJECT_ATTRIBUTES ObjectAttributes:/??/C:/WINDOWS/system32/cmd.exe|!OUT PIO_STATUS_BLOCK pIoStatusBlock:0|IN ULONG ShareMode:5|!IN ULONG OpenMode:60 !!) called by:!/Device/HarddiskVolume2/Program/Internet Explorer/IEXPLORE.EXE!

59!