Académique Documents
Professionnel Documents
Culture Documents
Architecture
Analyzing Pros and Cons
Use case: IOS malware
Use case: ROMMON debugging
Use cases: Fuzzer
Wrapping up
Sebastian Mu
niz, Alfredo Ortega
Groundworks Technologies
Groundworks Technologies
Agenda
Cisco IOS Architecture
Debugger internals
Dynamips modification
GDB support
IDA Pro support
Shortcomings of self-checking
routines
Demos:
Malware analysis
Fuzzing example
Groundworks Technologies
Dynamips emulator
Built-in GDB server
Processes
Packet
Buffers
Softw.
Fast
Switch
Kernel
Device Drivers
Hardware
Groundworks Technologies
Dynamips emulator
Built-in GDB server
Dynamips emulator
Created by Christophe Fillot
(a) 7200
1
(d) 3725
Dynamips emulator
Built-in GDB server
Debug
Kernel
Read Registers
Write Registers
Read Memory
Write Memory
Freeze OS
Remote
PowerPC
GDB
Protocol
MIPS
Special Hard
Memory
Controller
FPGA
PCI
WIC
CPU/Memory instrumentation
No JIT support
Supported commands
Read/Write CPU Registers
Read/Write Memory
Set/Unset Breakpoints
NM
Pros vs Cons
Why isolation is good?
I dont need this, I have the verify command
Shortcomings of self-checking routines
Pros vs Cons
Why isolation is good?
I dont need this, I have the verify command
Shortcomings of self-checking routines
Analyzing malware
GDB Client
Read_Memory
Request
Cisco IOS
Malware
Cisco IOS
GDB Client
Read_Memory
Malware
BuiltIn
GDB Stub
Expected (fake)
Bytes
Original memory
Mirror
Malware memory
dump
GDB Stub
DYNAMIPS
Pros vs Cons
Why isolation is good?
I dont need this, I have the verify command
Shortcomings of self-checking routines
http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml
Groundworks Technologies
Pros vs Cons
Why isolation is good?
I dont need this, I have the verify command
Shortcomings of self-checking routines
Malware
MD5 CHK
Clean analyis
External Trusted environment
MD5 Tool
User expected
MD5 chksum (fake)
Login routine
Result
Hash
Calculate
Cisco
IOS
GDB server
Demo!
Groundworks Technologies
Fuzzing requirements
Timing diagram
Example fuzzer
Triggered Vulnerability
Fuzzing requirements
Groundworks Technologies
Fuzzing requirements
Timing diagram
Example fuzzer
Triggered Vulnerability
Fuzzer
Dynamips
Start
Start
Fuzz case N
Signal
Exception
Get Regs
Registers
Log
Restart
Restart
Fuzz case N+1
Groundworks Technologies
Fuzzing requirements
Timing diagram
Example fuzzer
Triggered Vulnerability
Example fuzzer
Start
Connect to
FTP
Send:
Command + "AAA..." (100 As)
Disconnect
Yes
More
CMDs?
No
Crash?
Yes
Save state
No
End
Groundworks Technologies
DB
Fuzzing requirements
Timing diagram
Example fuzzer
Triggered Vulnerability
Fuzzer Demo
Demo!
Groundworks Technologies
Fuzzing requirements
Timing diagram
Example fuzzer
Triggered Vulnerability
Triggered Vulnerability
Groundworks Technologies
Demo!
Groundworks Technologies
Future Development
Honeypots
Malware analysis Lab
Exploit Dev
Duplicate exact memory behaviour (typical VMs problems)
Secure host isolation (squash Dynamips bugs)
Groundworks Technologies
Questions?
Via email:
aortega@groundworkstech.com
smuniz@groundworkstech.com
Please download:
http://www.groundworkstech.com/projects/dynamips-gdb-mod
Published under the GNU General Public Licence (GPL)
Groundworks Technologies
The End
Thanks for listening!
Groundworks Technologies