Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs

From: Mike Murray (orestes@dorian.2y.net)
Date: 01/26/02 

From: Mike Murray <orestes@dorian.2y.net>
To: core@bokeoa.com, Robert Flicker <robert_flicker@hotmail.com>
Date: Sat, 26 Jan 2002 12:11:14 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just to throw in my $0.02....

Detecting the possibility that a set of information could be polymorphic
shellcode is the smaller 1/2 of the game. It seems a semi-trivial task to
detect an arbitrary number of NOOP instrtuctions that happen to lie in a row.
 The difficult task is differentiating between any randomly occuring NOP set
and a set of NOPs that are actually occuring in an exploit condition. It is
the ability to make this differentiation that polymorphic shellcode actually
hinders; as the polymorphic engine increases in effectiveness, the ability to
differentiate between a piece of shellcode and a random bit stream
effectively goes to zero.

The point is made more simply: finding 50-60 NOPs in a row in a given
datastream doesn't indicate that the given datastream is shellcode any more
than it indicates that it's any other piece of random binary data. And the
difficulty in making that determination is what determines the number of
false positives that your detection engine is going to have.

And, of course, as Stefan Axelsson pointed out
(http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf), the actual
measure of an IDS's effectiveness comes from its ability to limit
*false-positives*, not from limiting false-negatives (which, of course, makes
most current commercial IDS offerings look pretty weak). Specifically, the
more alerts that fire on email/images/random traffic as "shellcode", the less
effective any sort of IDS becomes.

Thus, in my opinion, until one finds a reliable way to determine what is
obfuscated/encrypted/polymorphic shellcode and what is not, the ability to
have an effective IDS against that type of attack is impossible.

My $0.02...

Mike

On Saturday 26 January 2002 10:53 am, Charles 'core' Stevenson wrote:
> The code is interesting and pretty nice except that it detects just
> about anything as shellcode. Even the last e-mail I sent out to you and
> forgot to CC to the list. ;-)
>
> IA32 shellcode found: Protocol TCP 127.0.0.1:57118 -> 127.0.0.1:25
> Dumping data:
> Message-ID: <3C52F9DA.451181D7@bokeoa.co
> m>..Date: Sat, 26 Jan 2002 11:47:54 -070
> 0..From: Charles 'core' Stevenson <core@
> bokeoa.com>..Reply-To: core@bokeoa.com..
> X-Mailer: Mozilla 4.7 [en] (X11; I; Linu
> x 2.4.15-pre4 ppc)..X-Accept-Language: e
> n..MIME-Version: 1.0..To: Robert Flicker
> <robert_flicker@hotmail.com>..Subject:
> Re: [NGSEC] Whitepaper Released: Polymor
> phic shellcodes vs. .. ApplicationIDSs..
> References: <F153nHxRKYblf8nFJ3V0001881d
> @hotmail.com>..Content-Type: text/plain;
> charset=us-ascii..Content-Transfer-Enco
> ding: 7bit....But it also detected the l
> ast e-mail I sent as shellcode.....Haha.
> .....peace,..core....Robert Flicker wrot
> e:..> ..> Hi charles:..> ..> Have you te
> sted the sourcecode that comes with the
> paper:..> ..> http://www.ngsec.com/downl
> oads/misc/NIDSfindshellcode.tgz..> ..> A
> s far as i know is the first public code
> that does this stuff...> It may be not
> hot-news but i think it worth the downlo
> ad, and is a better..> solution for curr
> ent IDS than your exoteric thoughts with
> Neuronal Networks..> and distributed si
> gnature checking... INMHO uimplementable
> in current IDS..> technologies...> ..>
> Quoting from www.snort.org:..> ..> "Pape
> r: Polymorphicisms be gone..> .....> His
> ideas revolve around counting multiple
> NOP type operations in a row and..> aler
> ting when a threshold is reached. The id
> ea has been kicked around for a..> while
> , but this is the first one that I have
> seen in actual implementation...> .....>
> "..> ..> Current snort branch and its t
> echnique to detect shellcode is very eas
> y..> foolable ;P... NIDSfindshellcode is
> also foolable but in a harder way...> .
> .> Robert Flicker..> ..> _______________
> ________________________________________
> __________..> Join the world?s largest e
> -mail service with MSN Hotmail...> http:
> //www.hotmail.com.....
>
> Best Regards,
> Charles Stevenson
>
> Robert Flicker wrote:
> > Hi charles:
> >
> > Have you tested the sourcecode that comes with the paper:
> >
> > http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz
> >
> > As far as i know is the first public code that does this stuff.
> > It may be not hot-news but i think it worth the download, and is a better
> > solution for current IDS than your exoteric thoughts with Neuronal
> > Networks and distributed signature checking... INMHO uimplementable in
> > current IDS technologies.
> >
> > Quoting from www.snort.org:
> >
> > "Paper: Polymorphicisms be gone
> > ...
> > His ideas revolve around counting multiple NOP type operations in a row
> > and alerting when a threshold is reached. The idea has been kicked around
> > for a while, but this is the first one that I have seen in actual
> > implementation. ...
> > "
> >
> > Current snort branch and its technique to detect shellcode is very easy
> > foolable ;P... NIDSfindshellcode is also foolable but in a harder way.
> >
> > Robert Flicker
> >
> > _________________________________________________________________
> > Join the world?s largest e-mail service with MSN Hotmail.
> > http://www.hotmail.com

- --
_____________________________________________________
| Mike Murray <orestes@dorian.2y.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8Uw1qzh1RVm1QrUwRAukCAKCWWZd2t7rOaAtsqlmlRysb63lsmwCaAgVm
lOj4KLlat2jpVFAyuNzkkx4=
=b4c0
-----END PGP SIGNATURE-----