English Shell Code Could Make Security Harder 291
An anonymous reader writes to tell us that finding malicious code might have just become a little harder. Last week at the ACM Conference on Computer and Communications Security, security researchers Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus presented a method they developed to generate English shell code [PDF]. Using content from Wikipedia and other public works to train their engine, they convert arbitrary x86 shell code into sentences that read like spam, but are natively executable. "In this paper we revisit the assumption that shell code need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shell code that is superficially similar to English prose. We argue that this new development poses significant challenges for in-line payload-based inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shell code injection attacks altogether."
Re:Confused (Score:3, Insightful)
It's a shellcode [wikipedia.org]; it's actually written in machine code.
Re:In other news... (Score:2, Insightful)
And how do you suppose they generate the text then? They have a system they train with text pulled from various sources, then they use it to generate an innocent looking text that can be executed with a predicted result, no? In other words, an assembler/compiler....
See, I did read the pdf....
Btw, I missed that there where 4 researchers, not 3...
Re:The syntax should not matter.. (Score:5, Insightful)
And nothing in their article is helping with that. They assume they are exploiting a software vulnerability. If I know there is a software vulnerability, there are 1 million and 1 less complex ways for me to blow right by any inline scanner. (One stupid enough not to look and see what the actual bytes were anyway)
Re:This is (Score:3, Insightful)
Re:In other news...BAN THE PARENT (Score:3, Insightful)
Re:The syntax should not matter.. (Score:3, Insightful)
There are indeed times when I think that we built the Internet, and that it taught us only one lesson:
I'm right and you're wrong.
This is not quite as concise as "42". Also, a second Internet will have to be built to determine who is "I" and who is "you".
Re:This is (Score:3, Insightful)
Well then that won't be the x86 instruction set, will it?
I CAN BE PLAYED ON RECORD PLAYER X (Score:3, Insightful)
Let the T-C wars continue!
Re:This is (Score:4, Insightful)
Even better: inputs that can overwrite the stack can perform arbitrary code execution even if the stack is never executable, via "return-to-libc" programming.
Re:This is (Score:3, Insightful)
If you've got the ability to market a processor that won't run peoples old software, and using it makes software slower, take up more memory (think for single byte instructions, a single byte of padding is doubling the space it takes up, which is in effect halving the size of your L1/L2 caches), to a level sufficient enough to get people to actually buy it, then you may as well not even bother with the CPU, just convince them to give you money for nothing, as obviously your marketing team are that good that they could do that!
Hello, World! (Score:3, Insightful)
There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union. International organization participation Asian Development Bank, established in the United States Drug Enforcement Administration, and the Palestinian territories, the International Telecommunication Union, the result of the collapse of large portions of the three provinces to have a syntax which can be found in the case of Canada and the UK, for the carriage of goods were no doubt first considered by the British, and the government, and the Soviet Union operated on the basis that they were the US Navys interpretation of the state to which he was subsequently influenced by the new government was established in 1951, when the new constitution approved it you King, he now had the higher than that the M.G.u, and soul shouters like Diane. There's a mama maggot including the major justifications that the test led to his own. This is usually prepared by the infection of the Sinai to the back and the Star Destroyers in the parliament, by the speed of these books and the revival of environmental problems of their new Arab states of the Arctic as a more and they possess power to the effort she was especially valuable as the Union and that would have said, as to note that the goods, which the night that if ever I rode after the word Father upon His Church to claim that the peace that had permitted him the city are as a hand of one into I thought of Mr. Crow and the Jews by the days of the C.Cs front garden which had first to St Cyriacus. All of a theology in the setting in a human heart as the tale of this day. I have it to friendship and the States that the way the English of the St Lawrence seven miles of an adjutant...
Now, would you have guessed that this is executable machine code (shellcode)? Honestly, it looks more like the garbage that spammers use to defeat statistical analysis (indeed, this is code generated with a similar goal).
(P.S. this particular sample is merely an amalgamation of the code which was reproduced in the paper; it is not complete, and will therefore not execute).
Re:In other news... (Score:2, Insightful)
Dude, you're wrong. Let it go.
Re:This is (Score:5, Insightful)
As is being argued all the time: security is about layers. Layer upon layer. One layer to prevent executable code to reach your system in the first place by looking at the content of a message. Another layer to prevent code that does reach your system to be executed at all. Another layer to prevent untrusted code that does manage to be executed to do any damage (sandbox, permissions). Relying on a single layer of defense is not secure, no matter what that layer is or how strong that layer is. Breach that one layer and you're in.
This research gives at the very least a proof-of-concept on how to breach that first layer of security. And that of course is significant.
Of course there are no 100% secure systems - but the more layers of defense, the more secure it becomes. This takes away one layer of defense, thus making a system less secure. So yes it does make a difference even on "already-secure" systems.
Re:This is (Score:2, Insightful)
Interesting work (Score:3, Insightful)