Protecting Critical Infrastructure through Static Binary Analysis Techniques

static analysis @ cti n.w
1 / 21
Embed
Share

Explore how CTI specializes in static binary analysis to protect critical infrastructure by ensuring compliance, eliminating vulnerabilities, and focusing on functional verification.

  • Critical Infrastructure
  • Static Analysis
  • Binary Techniques
  • Compliance
  • Security
rayaanacharya
aarabe Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Static Analysis @ CTI Richard Carback <rtcarba@cti-usa.net> 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 1

  2. Protecting Critical Infrastructure Not just eliminating vulnerabilities: Compliance Issues Supply Chain Problem Functional Verification Focus: static binary analysis (WYSINWYX) 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 2

  3. Overview Combining Source and Static Binary Analysis Techniques Utilizing Big Data Capabilities Dynamic Whole-System Analysis 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 3

  4. Combining Source and Binary Static Analysis Techniques 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 4

  5. 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 5

  6. WYSINWYX memset(password, \0 , len); free(password) movq-8(%rbp),%rdi movl$0, %eax call_free 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 6

  7. Binary Analysis is Also Limited Obviously, it is much harder Indirect control flow can get expensive Limited utility Only this compilation is analyzed, what about updates? Other Architectures? How do I fix problems? 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 7

  8. 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 8

  9. 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 9

  10. 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 10

  11. 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 11

  12. 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 12

  13. Utilizing Big Data Techniques 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 13

  14. Attribution Problems What compiler? What (static) libraries? Is there any copied code? Is there any (known) malicious code? Is this a new version of a program I ve analyzed previously? What changed? 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 14

  15. Fuzzy Match Break up by function Remove pre/post ambles focus on what is unique in each function Convert to intermediate machine code representation Things which do the same thing collapse to the same representation 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 15

  16. MapReduce It Map Scan for matches Calculate match score Return if good enough Reduce Return best answer(s) 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 16

  17. Dynamic System Analysis 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 17

  18. System State Monitoring Problem Detect when state is compromised Come up with a good way to create a virus signature on the fly to prevent further infection. 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 18

  19. Defining good state Measure State Watch system under normal operations with test data Run the system through a fuzzer Record Current function Stack frames Heap usage 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 19

  20. Detection Watch network traffic When state does not match observed record Record anomaly and send alert Grab traffic and look for shell/exploit code Use static analysis to look for known patterns Generate signature if possible Record any new processes on system 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 20

  21. Conclusions Think bigger SA has much wider applicability than looking for clean code Think framework Can we agree on a common (pseudo-compiled) representation for all architectures? 443.697.6702 n www.cti-usa.net 443.697.6702 www.cti-usa.net Team, Integrity, Professionalism, Commitment! CTI Proprietary Information - Recipient Is Prohibited From Further Dissemination Without Written Originator Approval HUBZone Certified SBC 21

Related


No related presentations.

More Related Content