 Are we on the record right now? Is the transcription running? Okay. So here's the thing. With the transcription, you guys know that this is new this year and I think it's been very, very cool. And I've had a lot of questions about how it's working because it is so darn effective. So the way that that's actually happening is there is a live participant of PartyTrack that is not here. They are off-site and it's a court reporting service. So ponder that. Okay. So when I'm not at DEF CON, I'm an attorney back home and court reporters obviously sit there and transcribe court proceedings and depositions and very bland and boring types of materials. So there is a team of court reporters that has now gotten to transcribe this for all of us and type the words that have been coming out of all these speakers' mouths like dongs, pumpkin poop, booze. Okay. So it may be one of the more interesting types of projects that they've ever been assigned to. So my question to our court reporter is what do you think? Just one more time for our court reporter here in PartyTrack. Let's make applause show up on that screen. Awesome stuff. I'm going to be taking off pretty soon. You guys have been great PartyTrack totally rocks and I will probably see you all next year. Without further ado, we are going to learn something about exploitation detection systems now. Have a good time, everybody. Hello, guys. Hello, girls also. Girls mainly. Today I will talk about exploitation detection system. First, I'm from Egypt. I'm a researcher at QCERT in Qatar. I'm the author of some open source projects like SRDF. I will talk about SRDF today and book 66 emulator. I wrote an analysis paper in Stuxnet about Stuxnet. That's it. That's my first time here in Defcon. So thank you for giving me this chance. Okay. Let's begin. As you all know, been testing ground for a long time. I've been testing right now. Hacking right now has become different from the security compliance that we add. Like, they are not attacking the servers right now. They are not trying to use metasploit and they are taking the server using in-map and all of these techniques. Right now most of the attacks are advanced resistance rates. They are attacking from the client side. They are using this bit fishing. They are attacking the omelies of the company. And from their clients, from their machines, they are attacking the servers. So they can bypass most of the security compliance applications, firewalls, intrusion detection system, intrusion prevention system. They can bypass everything. They use some undetectable malware infecting the clients using H2B connection, HBS. So they are bypassing everything. They are bypassing also the antiviruses and all of the security tools right now become useless. So what's the solution? What is the new technology? What's the new era? That's what we are talking today. The next security technology is, from my point of view, is the exploitation detection system. We are now need to secure the client like we are securing the server. We need to secure from the client side attacks and exploits. We need to stop the successful exploitation and stop the using of zero days and make it harder. Actually, when the security began, they began with antivirus as a technology, the wow technology and after a time it was bypassed and there is another attacks. They created the firewalls and become very, very powerful. And after a time bypassed, they are now bypassed. So what's the next? The next is the exploitation detection system. That's the era of exploitation detection system. Today, I will talk about the exploitation detection system as a new technology, as a new concept. That's what I already talked about. I will talk about also my tool, my exploitation detection system tool, how it can stop the attacks, how it can mitigate the attacks. I will talk also about the development still in the middle, but I will talk about what we reach until now. And I will have a little bit of advertisement for my open source development framework. I will talk about it also. How many people here know about assembly exploits understand all of this? Good. Not too much. But I will explain everything from zero. No problem. Okay. First, we'll talk about why it is the goals of this tool, how I created all of this. Then I will talk about the design of this tool and the mitigations that it used inside the days to stop all the attack vectors. And I will talk about the attack vectors, explaining them in details, not in brief, not use details for everyone to understand. And I will talk about the monitoring system. It's also inside the ideas. And then the development and my future point of view for ideas. Let's begin. Similarly, as I said, it's created mainly to stop the exploitation. As I see, most of the attacks now using social engineering and the exploitation is a client-side attack on all of this. So that's what I created this tool for. It stopped the memory corruption exploits. I know maybe you don't know about memory corruption. I will describe it right now. It detects the compromised processes. If you have an elder breeder and a malicious BD fire running it, and it also exploited your process. So it tried to detect that this process was compromised due to an unknown behavior or has some corruption in its memory. And it stopped that. It prevent or alert someone in the company, the IT administrators or the security team about there is a machine or there is a client who has been hacked. Similarly, memory corruption is about what if you have a space of memory and there is a buffer created for the use of the application, take the username and password and imagine that maximum your name will be 200 characters. No one has a name longer than this. So it creates a buffer for it and take your username, copy all your username inside this buffer, and you don't check on the size of your username, and then run. Actually, if I send the username with one of the 1,000 bytes or so, 1,000 character length, he will write on the 200 bytes of this buffer, and then he will override some other places in memory. This places in memory could be, if you are, could be a pointer to other places in memory, could make some corruption, could be a pointer in a code in the stack, something in the stack, has a pointer named return address, the processor or the CPU, after a time execute, go through this pointer and execute the code that this pointer points to. So if I override this pointer, I can make the, the, the CPU go to another place in your application. So if it's something, it check the password, I can override this pointer and make it return that you are, you win or you, you bust or something like this or your username and password are correct. So I can change the behavior of your process using some modification in your memory, and that's what's named memory corruption. You can know about it more in Corlan, the bee, that's a Corlan team is a very, very good team, has 10 exoboits talking about memory corruption vulnerabilities, how to use it, how the people use it, and as you see in these pictures, I show you that there is an override, he overwritten the return address as you see, so I can now modify the behavior of this process. Okay. Some people will ask, okay, it is good point, but what's the difference between like, solution detection system and the end virus? Simply, and it is not signature based, it's not mainly behavior based, it's simply searching the memory for any corruption net. If there is unknown corruption or unknown override, he can detect that. It doesn't detect malware, it's not to detect there is a new virus or something, it's just search for subvoltage. Okay. So there is something before it is, there is something new, no. There is compile time solutions, and the compile time solutions was created by Microsoft like GS cookie, they add a cookie before the return address that we saw in the previous slide to check if it was overwritten or not, something like this, but the compile time solution has a problem that it forces everyone to re-combine the application to add this feature. So always there is an exception, there will be someone, developer will not compile with the new technology, so I can buy parcels. There is other runtime solutions, one of them was Emit, who talked about his great tool from two presentations, and there is others. Actually, for more about the view, I see it's like on off mitigation, it's you are, you are, this action is a malware or this is an exploit or that's not an exploit, I need something more flexible, it's one layer of mitigation, one layer of defense, it can't know that he was by boss or not. I will talk about this. Okay. So what we have, what we have, what new things we have? We have cooperative mitigations, we will talk about this. We have a schooling system, we have something more flexible to detect exploitation and so on. We have additional layer of monitoring system and this monitoring system will talk about it. It detects if there is something bypassed the attack, bypassed all mitigations and there is an attack already working, so it's another additional layer to secure. Simply, the design that there is payload detection, we will talk about what is shell code and what's RubyChain. We have shell code detector, we have RubyChain detector, after that we have the attack vector detector, we have security mitigations for the stack and with heap. Actually, the stack, as we saw in the two slides, it's a place to include some return addresses and this return addresses, if it was overwritten, it will create a problem, it can change the behavior of the application. The heap has something similar named Vtable. Vtable actually has some pointers of some functions in a time, the processor can execute one of them and if they are also overwritten, it will create a problem. After that, we have the schooling system and the monitoring system. Okay. The schooling system is based on readings, based on payload detection, based on shell code, based on what you sent in your input, if you sent a code or something like this, if you sent a RubyChain or return address, return address. Also, it includes, it detects the exploitation attack vector. If there is an attack way he did, there is something suspicious, try to stop this. Also, it scans on something suspicious related to this process, like add a breeder, connect to unknown sites, or create a new process named command to TXE, that's a suspicious action, so it gives more score or higher score for this attack or this input. There is something more suspicious. The monitoring system simply searching for evidence of exploitation, detects there is a bypass to read the mitigation, this process was compromised, they include like unknown dealers, there is some functions hooked or something like this, there is something unknown running in this process. We will talk about it in details. First, what's shell code? Simply, as I told you that I can send username 1000 bytes, but I can overwrite our return address, and I can also modify this return address to return to my user name, so the processor will execute my user name as it's a code. So, shell code is simply some bunch of bytes I can send as it's a username, and actually it's an assembly code in bytes, so I can, when I can modify the return address, I can make the processor execute my user name or execute the bytes, this bunch of bytes, and this bunch of bytes do an action for myself, so I can control your process, I can send you a code and this code will get executed and I am like inside your PC. The shell code, simply it's first, it gets its place in memory, that's the first thing it do, because it's running in unknown space, it's just user name code in unknown buffer, so try to take where it is, and then getting the Windows functions to execute like, I need to execute a new application, I need to create command.exe, I need to connect the Internet, so it gets the Windows functions to do all of this, and then attack. There is a good article about this, a code project, you can check it. There's any problem until then? Actually, some shell codes are forced to not have any null byte or zero, why? Because when I send the user name, the user name always it's just a string or a text, so the text in Windows finished with null byte or zero byte, that means that user name, your user name was finished, so the shell codes should not have null bytes, that's a point or most of them, they are sometimes encrypted, if you see metasploit, how many people here use metasploit? Actually, metasploit, when you choose the payload, choose a shell code, you can include it to bypass antiviruses and all signature based ways, so sometimes shell codes are encrypted, and there will be like a loop trying to decry it byte by byte, so there will be a loop, some code execute in like a cycle, and some shell codes are forced to be in ASCII, like they are characters A, B, C, and so on, because some applications that check the user name include some unknown bytes, that's it. So, we need to detect that this user name, this person name includes some shell code, includes some code inside it, and he tried to modify the location behavior to run this shell code, so I created a shell code detection tool, my goal in this tool is to be very fast, because this input will be sent in small time, and an action will happen after that, so I don't need to have a memory console any time used, I need it to be very hard to bypass, and to be very strong, and have some false posters, but low as I can. So, I added static shell code detection, static shell code means it just maximum disassembly or just check the bytes, it doesn't try to when it detect a shell code, it doesn't run it, that's the mean of static, it doesn't run the shell code, it just scan on it, it disassembly, convert it to assembly, and try to understand if there's really an assembly code or just bunch of bytes, and we divide this shell code detector into three phases. The first phase that we search in this user name an indication there is a code, there is a working code, and we detect how we can do this, like we detect there is a loop, a working loop inside, there is something, if I disassemble all of these instructions, I find a jump to one of these instructions and the code is simply working. That's the first indication of possible shell code, the second, I filter all of the instructions that invalid or some severe instructions, that are corrupted or not used in the normal process, and then I do some flow analysis on all of this shell code, this code will work fine or it will not work, it's just bunch of bytes. Why do you stop speaking? What are you saying? Let's take a break. You know the drill. What are we called? No, it's not fuck this speaker. Shot the noob. What are you doing? Oh, and we need, who's the first time it? I think the guy here in front actually got there first. All right, here you are, sir. What? Oh yeah, we have to interview him first. What's your name? Orbo. Where are you from? Utah. Why'd you come to DEF CON? Why are you drinking? Because I'm not Mormon. All right. Cheers. All right, cheers to everybody first time at DEF CON. How's he doing? How's he doing? Should we invite him back next year? That was a big one. In five minutes. Yeah, exactly. We're taking this? Oh, are we taking this? Is this yours? No, no, no, it's not mine. It's looking good. That's awesome. I don't know, but we'll just leave it there for the next few years. Thank you. Thank you. Thank you guys. What do we see? That's the shill code detection. Okay. We search for indication of shill code. First, we search for a working glue. How it works, actually, the assembly code for X86, it's instruction has a variable size, like instruction of three bytes, instruction of five bytes, and so on. So what we are doing is we disassemble from a place to our research for a jump to something previous, and disassemble between all of them. If the assembly code works, find that the last instruction and before the jump, so it means that it's something, it's a real loop. So the jump is here, pointing to an instruction, and all of this instruction we're running, and we'll return to this jump, and so on. We search for something like this. It seems that it's a working loop that seems a shill code that's just an indication. We check for, there is in some shill codes, they call to something to address in previous, why to try to, using a simple way to get where they are in the memory. I don't know, I don't need to enter the details, but we can detect there is a call to something previous and disassemble between the call and between the destination, so we can know that it seems a working loop or something like this, which is also on some loop instructions inside the X86, that's the first way to indicate there is a shill code or something. Then, if we didn't find the loop, we search for high rate of unknown instruction in the bush. Usually it was used in the shill codes that it must be an ASCII, must be to be characters, A, B, C, something like this, and we detect there is a high rate of these pushes, and after that, usually the shill codes that include pushes, it pushes instructions to save a value inside the stack, so if you have hundreds of pushes and then call to the stack, it could be like an encryption way or a shill code encrypted and will decry all the shill code in the stack and then call to it, so we can detect something like this, and also we have an instruction named fistin, that's a simple instruction, but it's used very much with shill codes because it detects where they are the shill code, so with all of these three ways, we can see that it seems a shill code here, that this assembly or this person name is suspicious. Then we skip some invalid instructions, some of these instructions in, out, and all of these are related to devices and are used in the kernel mode of Windows, used by the device drivers, not used by normal applications, and some of them, some instructions that has unknown behavior, some crazy things in Intel assembly, but we skip all of these instructions if we found them, so the shill code, so if we found the shill code has these instructions, it seems corrupted or something, and then we do some flow analysis. Simply, if you have a loop, the loop should have, if it saves something in the stack, it should get the value that it saves in the stack because stack is like a cup of water, you add to it and then you take from it, so you can't fill it until it overflows, you just, you need to add to it and then take what you added, so if you have a loop, you should have a push and pop, you should have something add in the stack and another instruction take from the stack, so we check on this. We check on conveyor and jumps and all of this, we check for the null three bytes. After this, after I designed this shill code and after I wrote it, I tested it in some false positives and some real shill codes in Metasploit for the false positives, I detect that four percent of the shill codes, four percent of junk data, it detected as a shill code. It's not a very high level of false positives, but not few, but it detects all Metasploit shill codes, it can detect them, it can detect the shillestorm shill codes, famous sub-site for shill codes, but actually manual elevation is still possible. It's simply a return-oriented programming and as you can see, it's simply when there's some mitigation windows created in data execution prevention, prevent the users from preventing any data sent as user name or something like that to be executed, so some people try to return inside the application itself and try to find very few instructions, after these instructions, a return instruction and to make a call return or return to some instructions and then return to another some instructions inside the code section of the application and another and another and collect these small pieces together to create a working shill code from the code of the application, so it can by bus the data execution prevention and it can have a working shill code. We detect all of them easily, we check if the address is in the executable module, we check the return after a call or not and all of this. For the stack mitigations, we detect there is, we have a mitigation named long module switching and it's simply we detect that there is a return to a Windows EBI, the functions of Windows EBI are some functions created by Windows to do some stuff like creating a new process or some something like this, we check if there is a call to it or it's a return to this call, if there is a return to this EBI, so it seems a return oriented programming or seems an attack. We talk about return or robot attack. Most of this type of attack vector, what they do to by bus the execution prevention, they create some pieces of robot attacks or robot gadgets as we described it, some piece of code, this piece of code is called to virtual protection EBI or some other EBI, virtual protection can make the stack executable, so they can use the robot gadgets to create, to call to virtual protect to make the user name that I entered as a shield code or the shield code inside my user name become executable so I can return to the shield code and by bus that execution prevention. So what we do is we hook the calls to the system, there is a kernel mode that includes the Windows device drivers and the process, the process connect to the Windows kernel mode using instruction in system enter, we are hooking here and do stack back tracing, check every caller to this, to system enter, check the caller to system enter and the caller to the caller until we reach if there is a call from the application to this EBI or there is no caller so it's return oriented programming. Actually in Windows 32 we can hook the SSD hooking but in Windows 64 we don't, we can't create a device driver that hook the SSD hooking so we hook the Windows emulator wow64 emulator, we can hook any function calling to the kernel mode, system enter and something like this. We hooking virtual protect and all of this protection EBI's and the creating process and should execute, it could execute an application so I can, so the attacker can execute command.exe for example we hook these functions, we hook the functions that will create a socket or connect to the internet and all of this stuff. What we do exactly after we do the back tracing and reach the call to this application, call to this EBI in the application, we check if this call is really a call to this EBI or that's a fake return address created by the attacker. We do some checks like we check if there's a call to this EBI or not, we check the parameters if that's, if really what we saw in the parameters are the parameters that created by this EBI caller, the application call to this EBI with these parameters or not, we will see this again. We check if the application itself has a call to the function that called to this EBI, we check another things and after that we give a call to this EBI, yes that's a call to this EBI or not. We check on different type of calls to detect there's really a call to this EBI. We check there's the parameters, we check if really if there's a constant parameter the process, give it to this EBI like it gives an parameter, like it gives the name of the process actually, create process has a create process EBI and it gives to create process EBI parameter a specific application and attacker try to use this part of the code and try to give it another parameter, we can detect this something like this, we will see right now. Let's see the demo. Anyone see anything? Anyone see anything? Okay. I don't see it already. Simply, we begin by, we have Firefox EBI, Firefox application and we try to, okay, we try to hook this EBI and hook the Firefox and check if we run an application using Firefox, if there is a real call to this EBI or not or it's really Firefox who run this application or it's a fake call or something, we first hook the application and then we here click on application in Firefox, so we we force Firefox to execute an application or create a process and then we check on the parameters of this, I don't see the video but no problem, we check on the parameters, we check on the call stack, we do some stack backtracing and check on the call stack and check on the parameters, we check the score and we saw the score is two, so it's a normal call and then I don't see anything but okay. I made a vulnerable application, small vulnerable application which not called to shell execute, it gives an input and return to shell execute, so I tested it, okay. I run the application and it's, it gives the message in the call, in the code and then it should return to shell execute which execute a function, so we check this and it detects there is a, there is no call and it detects there is an attack and gives a high score so it can stop this attack and then we have a C-H mitigation, simply we check the instruction, exception handling is working fine and then we have some mitigations for HIP, we detect the HIP overflow, HIP spray, HIP user after free, we have the global lock, the function that allocate in the HIP on all of this and we detect that we add some cookies on each allocated buffer and try to detect if there is an overflow to this buffer in the HIP or not, and for HIP spray, we try to detect there is a large memory allocation in very small time from the same module and try to stop this HIP spray, we scan for shell code and robot chain, if we found the shell code and robot chain inside, so it's simply HIP spray and we detect user after free, for, we detect there is a user after free, if there is a class including some pointers or creating something in VTable, we try to make this buffer freed after we delay it's free so we can, we can stop any use after free and then we have the scoring system, we describe the scoring system, we stop the, the all type of attacks using our scoring system, we try to take the payload and the attacking vector and all of this and then if we didn't find it's a real attack, we can at least mark it as suspicious and give it to the administrator, we have the monitoring system and the monitoring system check if all of our medications was bypassed, we check the executable place in memory, we check, check if there is executable place in the stack, there is executable place in HIP, there is executable place in memory map files, so it's something suspicious, we search for robot chains in the memory and shell codes and all of this stuff, we check if there is a thread running outside, running outside the memory and all of this. What we are planning for, we are planning to create any company to have a central server which get all the logs from all of the exhibition detection system applications inside the, the clients inside the company so they can get some information from all of this, detect if there is a suspicious action happened on all of the clients and then using also, create all of this information with the intrusion detection system and all of this tools, if they can create a timeline of an attack, they can detect there is an attack and contain it. That's the future work. The volumint, it is based on security search and volumint framework, it's a volumint framework already created until now it includes three contributors, it's a volumint framework, it's for Windows right now and we could include the version Linux and version Bison. Simply, SRDF is a volumint framework for writing security tools, this volumint framework includes a bunch of security tools inside it, it includes the BE and BDF, including Android, it includes for static analysis a full assembler and disassembler engine and this assembler, it includes some wild card scanning and all of this, it includes for dynamic scanning, full process analysis, debugger, full debugger and an emulator, it includes for behavioural IBI hooking and all of this. Simply, SRDF is a volumint framework, you can build your application using it, it will, you will not waste your time if you have an idea and you need to implement it, you will not waste your idea, you can use the SRDF and implement your idea easily and don't waste your time on creating and reinventing the wheel and creating all of the tools. We have network analysis, we have packet capturing decision analysis and all of this. I will talk about it in details in virus polluting. Just join us, that's the website, the GitHub version, join SRDF or use it. You can reach us for the system, if you need to support this idea, if you have a feedback, if you have any question, if you have anything, just email me or send me on Twitter or anything. That's it. It is the system, in my opinion, it's a new era. Just all people should jump into something like this. That's the new technology that, which will kind of stop the ABT attacks. Join us. Thank you.