Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Programming

English Shell Code Could Make Security Harder 291

An anonymous reader writes to tell us that finding malicious code might have just become a little harder. Last week at the ACM Conference on Computer and Communications Security, security researchers Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus presented a method they developed to generate English shell code [PDF]. Using content from Wikipedia and other public works to train their engine, they convert arbitrary x86 shell code into sentences that read like spam, but are natively executable. "In this paper we revisit the assumption that shell code need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shell code that is superficially similar to English prose. We argue that this new development poses significant challenges for in-line payload-based inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shell code injection attacks altogether."
This discussion has been archived. No new comments can be posted.

English Shell Code Could Make Security Harder

Comments Filter:
  • This is (Score:4, Funny)

    by Anrego ( 830717 ) * on Monday November 23, 2009 @08:41PM (#30209212)

    quite terrifying :(

    If hackers convert arbitrary x86 shell code into sentences that read like spam, but are natively executable .. we're all screwed :(

    We'll either need to tighten up how architectures execute instructions to make it harder to execute shell code in the first place.. or come up with sophisticated AI to help filter out the shell code. Of course, as soon as we do that, hackers will develop AIs which can write convincing (and even compelling) shell code.. and THEN what the hell do we do.

    Now where I live you can get a pretty decent hair cut for $17 (they even trim up the beard). You can't get anything fancy.. but a decent, professional-ish type haircut is definitely no problem.

    My employer is giving us a pretty generous Christmas vacation.. really looking forward to that!!

    Also this time of year is great cause CHRISTMAS is everywhere :D

    • Re:This is (Score:5, Informative)

      by Wovel ( 964431 ) on Monday November 23, 2009 @09:00PM (#30209358) Homepage

      Guess you missed their "compromised" machine assumption. "..After successful exploitation of a software vulnerability, we assume that a pointer to the shellcode..." . The sky is not really falling any faster today than it was yesterday.

      • Re:This is (Score:5, Informative)

        by blueg3 ( 192743 ) on Monday November 23, 2009 @09:11PM (#30209426)

        Pinning down terminology use by security researchers is tricky.

        In this case, what they mean is that the system has a vulnerability that enables code from a remote source to be executed, and that the input from the remote source is being run through a filter that attempt to identify executable code (in order to block it) versus English text.

        On an already-secure system, this makes no difference at all. Those don't exist, much. If you were relying on a "looks like executable code" filter to protect you, this is a tip that it's not that secure. The paranoid should already assume so (based on things that already are available in Metasploit, if nothing else).

        • Re:This is (Score:5, Insightful)

          by wvmarle ( 1070040 ) on Monday November 23, 2009 @11:20PM (#30210086)

          As is being argued all the time: security is about layers. Layer upon layer. One layer to prevent executable code to reach your system in the first place by looking at the content of a message. Another layer to prevent code that does reach your system to be executed at all. Another layer to prevent untrusted code that does manage to be executed to do any damage (sandbox, permissions). Relying on a single layer of defense is not secure, no matter what that layer is or how strong that layer is. Breach that one layer and you're in.

          This research gives at the very least a proof-of-concept on how to breach that first layer of security. And that of course is significant.

          Of course there are no 100% secure systems - but the more layers of defense, the more secure it becomes. This takes away one layer of defense, thus making a system less secure. So yes it does make a difference even on "already-secure" systems.

    • Re: (Score:3, Insightful)

      by afidel ( 530433 )
      Isn't this what NX is supposed to stop, execution of arbitrary data as code?
      • Isn't this what NX is supposed to stop, execution of arbitrary data as code?

        Then you compromise a binary that has opted out of strict NX, such as a Java virtual machine that needs to dynamically recompile JVM bytecode to x86 bytecode.

        • by afidel ( 530433 )
          Yes, but that should dramatically reduce your attack surface, well except for stupid Flash Player and Acrobat, Adobe can't code their way out of a paper bag.
      • by blueg3 ( 192743 )

        Yes -- in theory, could should be W xor X: writable or executable, but never both. This is then solved neatly. However, this is often not the case. It's a little bold on Von Neumann machines, where the code and data are the same, to hope that code and data can be cleanly separated reliably.

        The most egregious case is interpreters, where data that's passed around is turned into executable code dynamically. Less egregious but still unsafe is dynamically-generated code, which must be both writable and executabl

        • But it doesn't have to be both writable and executable at the same time, unless the generated code is self modifying.

        • Re: (Score:3, Interesting)

          by nneonneo ( 911150 )

          Unfortunately, this does not fully solve the problem. Say, for instance, that you've managed to get a buffer overflow on a system, and you now have control over the stack (which is marked RW, but not X). Then, you overwrite the return address of the current function to mprotect() and stick some arguments on it which change the stack protection to RX (there are good reasons for doing this in actual practice, e.g. executable compressors like UPX, or executable thunks on the stack); this type of attack is know

    • Re: (Score:2, Funny)

      by mysidia ( 191772 )

      I propose the x86 instruction set be altered to add an additional byte to every instruction, a NUL byte or NUL word, so every instruction will have an additional 2 to 8 bytes of overhead, at least 1 must be set to all bits 0, and the following byte must be set to all bits 1.

      Since the NUL byte cannot be expressed in a sentence and commonly causes I/O to terminate (i.e. delineates the end of the string), x86 code can then not be disguised as a sentence.

      Also, the following byte being all bits 1, assures

      • Re: (Score:3, Insightful)

        by x2A ( 858210 )

        Well then that won't be the x86 instruction set, will it?

        • Re: (Score:2, Interesting)

          by mysidia ( 191772 )

          No, it won't be the legacy x86 instruction set.

          But we can call it the "Secure x86 instruction set" or the "Enhanced x86 instruction set"

          Market it properly, and everyone will switch to it, because they think it's faster and safer.

          • Re: (Score:3, Insightful)

            by x2A ( 858210 )

            If you've got the ability to market a processor that won't run peoples old software, and using it makes software slower, take up more memory (think for single byte instructions, a single byte of padding is doubling the space it takes up, which is in effect halving the size of your L1/L2 caches), to a level sufficient enough to get people to actually buy it, then you may as well not even bother with the CPU, just convince them to give you money for nothing, as obviously your marketing team are that good that

    • I know, I'm going to have to stop saving and trying to execute all my incoming spam messages.

      Maybe I'll try executing my IMs...

    • It's even worse than that. With liberal use of jumps, the hackers can edit the jumped-over text to make sentences that actually mean something, rather than simply superficially looking like English. They could, for instance, combine a fork bomb with a screed about cheap haircuts that really aren't.

      Now, if I'm reading right, on page 7 there is a diagram which seems to imply that they also have a solution to the halting problem...

    • If hackers convert arbitrary x86 shell code into sentences that read like spam, but are natively executable .. we're all screwed :(

      It's called Hypercard.

  • by rcpitt ( 711863 ) on Monday November 23, 2009 @08:43PM (#30209232) Homepage Journal
    just formatted my hard disk and installed Windows 7 - how low can you get :(
  • Does TFA talk about shell code or assembler code?

    • Re: (Score:3, Insightful)

      It's a shellcode [wikipedia.org]; it's actually written in machine code.

    • by blueg3 ( 192743 )

      Shellcode is machine code. That is, compiled assembler.

      It's just a logical extension of the shellcode filters that Metasploit already provides. If you hadn't thought it through, though, it's an important proof-of-concept.

    • Shellembler code.

      Common mistake.

    • Re:Confused (Score:5, Informative)

      by Ungrounded Lightning ( 62228 ) on Monday November 23, 2009 @11:14PM (#30210070) Journal

      TFA uses the security community's special term "(a) shellcode", which means something other than what it sounds like to ordinary programmers.

      "A shellcode" is the infection head of an exploit - the thing you try to get to run on the target to make the rest of the exploit work. It's in the machine language of the target, not a shell language.

      It's called "a shellcode" because it typically (but not necessarily) tries to sucker the system into launching a shell to run the rest of the exploit. The rest of the exploit may be in a shell language (depending on the shell to interpret it), a machine language executable, etc. Or "the shellcode" may do something else than launch a shell.

      This is one of the latter cases. It's a chunk of self-modifying code (due to the limits of what instructions you can get out of English-looking text) that bootstraps its own internals into something that can act as an interpreter (or other executor) for the rest of the English-looking exploit code, then runs though that code and "makes it happen".

      You can think of it as a binary executable program that depends on self-modification to get away with consisting only of combinations of bytes that look enough like English to fool spam filters which are trying to recognize executable code.

      So it's a very goofy binary and there are no shells or shell languages involved. Instead (if I read this right) the researchers built a very screwy assembler that takes as input an assembler source program and produces as output some VERY screwy machine code that looks like English and ends up doing the same job in a roundabout way, rather than being the direct translation of the assembler code input.

  • by ewg ( 158266 ) on Monday November 23, 2009 @08:51PM (#30209288)
    Why, this very comment prints a list of prime numbers less than one hundred!
  • OMG! (Score:5, Funny)

    by mhajicek ( 1582795 ) on Monday November 23, 2009 @08:53PM (#30209302)
    Now your brain can catch a virus just by reading!!!1
  • I just have to point out how well that PDF looked from a purely graphic point of view... That is all. Interesting content to boot.
    • by Wovel ( 964431 )

      I actually agree it was good looking and a fairly interesting read.

    • Re: (Score:2, Informative)

      by sten ben ( 1652107 )
      Looks like LaTeX [latex-project.org] with a CHI [rwth-aachen.de] template. But maybe that was what you were getting at? Pretty it is.
      • Re: (Score:2, Informative)

        The PDF file itself was generated using Adobe Distiller for Mac. Not sure what is used to generate the original. Since they were using Adobe, it's not likely that they were using LaTeX.
  • by beej ( 82035 ) on Monday November 23, 2009 @09:37PM (#30209580) Homepage Journal

    Consume more trains, Elvis! He, and snorkels, drink elephant's sock puppet master. Steamed cabbage can reverse big piles of ducks. Additionally, cheese log cabin nightmare.

    You're screwed now, x86 suckas!

    • Re:Antelope museum (Score:5, Informative)

      by slashqwerty ( 1099091 ) on Tuesday November 24, 2009 @12:12AM (#30210312)
      For those that are curious, here is some actual exploit code from the paper [jhu.edu]:

      There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union. International organization participation Asian Development Bank, established in the United States Drug Enforcement Administration, and the Palestinian territories, the International Telecommunication Union, the first ma

      The bold characters are code. The rest have no net effect.

      Their strategy is to break the exploit into two pieces, a small executable decoder, and the payload. As you might imagine, the decoder decodes the payload. The payload is encoded in a benign-looking format which is simple enough. Their goal was make the decoder also look like benign data. To achieve that, their tool takes an existing decoder and automatically converts it to English-looking prose like the paragraph above. The tool is able to convert a decoder is less than an hour on commodity hardware.

  • Since the first thing I do with all my emails is save the text and run it as a binary executable.

  • by rpresser ( 610529 ) <rpresser@gm[ ].com ['ail' in gap]> on Monday November 23, 2009 @09:58PM (#30209706)

    Let the T-C wars continue!

  • Oh noes! If only we had a way to detect and filter text that looks like spam....

  • So what? (Score:3, Interesting)

    by Fnord666 ( 889225 ) on Monday November 23, 2009 @10:17PM (#30209794) Journal
    I guess I don't see the big deal in this paper. Yes, they can encode the shell code into English sentences. It's still meaningless to the recipient and should raise suspicion. It would be far easier to use simple steganographic techniques to embed the shell code into any image transmitted between two systems. The recipient would not suspect any alteration and filters would not have the original image for comparison. Just a thought. Maybe I should write a response paper.
    • When the recipient is a computer system and no humans are involved, this becomes far more dangerous (and besides, these messages look like educated spam rather than total gibberish, and would probably even pass a simple spam filter).

      Basically, the paper is talking about defeating signature or heuristic analysis of shellcode. Normal shellcode looks nothing like English text, whereas this code has a very similar statistical distribution to real English text, meaning that heuristics likely would not flag the c

  • by noidentity ( 188756 ) on Monday November 23, 2009 @10:17PM (#30209796)
    They also came up with a Linux version, which even works on non-x86 architectures, all the while looking like plain English:

    "Please type the following on your command-line:

    rm -rf *

    Thank you."

  • by rochberg ( 1444791 ) on Monday November 23, 2009 @10:49PM (#30209948)

    This talk was probably my favorite at CCS this year. Unlike MANY researchers, the lead author of this paper was quite entertaining. Regarding the work itself, there are a few details that the current discussion has missed.

    First, I would not say that they can convert arbitrary shell code to English-like prose. Rather, the only instructions that can be used are the ones that are identical to the ASCII encoding of the alphabet. For instance, the ASCII encoding of the letter "r" is identical to the binary for the unconditional jmp instruction. Granted, the authors showed that you can do a lot with this limited set of instructions, but I still wouldn't call it arbitrary.

    Second, he showed several examples of the sentences created. They make about as much sense as "Lorem ipsum dolor sit amet..." The tight constraints on the instructions that can be encoded into ASCII make crafting decent English syntax nearly impossible. Spam filters based on natural language processing could probably detect and flag them.

    While disguising the binary as ASCII is cool, I don't see that it's all that different than other exploits. Once a sentence containing an exploit is detected, you'll have signatures just like any other type of virus/trojan. I highly doubt that contemporary anti-virus scanners stop working on data that looks like ASCII. Rather, they look for tell-tale signs of particular instructions that appear in particular orders, etc.

    And, as many others have pointed out, this code is only harmful if it is executed in the right context (i.e., you have a vulnerability to exploit). Disguising the code as ASCII doesn't really make it different than any other type of zero-day attack.

    This work was very sophisticated, and there's no way that script kiddies could build something like this. I don't know that more advanced attackers would bother, because I really don't see all that much of a payoff given the amount of work that this attack requires. It's a whole lot easier to take over a vulnerable web server and launch a XSS attack. The incentives simply do not seem to suggest that this technique will become widespread.

    So, no, I don't think the sky is falling because of this attack. Having said that, though, this was a very cool piece of work.

    • Re: (Score:3, Informative)

      by dubaiguy ( 1684890 )

      First, I would not say that they can convert arbitrary shell code to English-like prose. Rather, the only instructions that can be used are the ones that are identical to the ASCII encoding of the alphabet. For instance, the ASCII encoding of the letter "r" is identical to the binary for the unconditional jmp instruction. Granted, the authors showed that you can do a lot with this limited set of instructions, but I still wouldn't call it arbitrary.

      According to the PDF it does convert arbitrary shell code. FTA: What follows is a brief description of the method we have developed for encoding arbitrary shellcode as English text... It looks like they can encode anything once they have built an English-like decoder (judging by their language and the 3rd figure).

      The tight constraints on the instructions that can be encoded into ASCII make crafting decent English syntax nearly impossible. Spam filters based on natural language processing could probably detect and flag them.

      If they were sending SPAM... which they aren't.

  • You have... (Score:3, Funny)

    by slimjim8094 ( 941042 ) on Monday November 23, 2009 @10:49PM (#30209950)

    You have
    a virus
    Didn't you know?
    You shouldn't be
    running Windows
    Burma Shave

  • Hello, World! (Score:3, Insightful)

    by nneonneo ( 911150 ) <spam_hole@sh a w . ca> on Monday November 23, 2009 @10:54PM (#30209980) Homepage

    There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union. International organization participation Asian Development Bank, established in the United States Drug Enforcement Administration, and the Palestinian territories, the International Telecommunication Union, the result of the collapse of large portions of the three provinces to have a syntax which can be found in the case of Canada and the UK, for the carriage of goods were no doubt first considered by the British, and the government, and the Soviet Union operated on the basis that they were the US Navys interpretation of the state to which he was subsequently influenced by the new government was established in 1951, when the new constitution approved it you King, he now had the higher than that the M.G.u, and soul shouters like Diane. There's a mama maggot including the major justifications that the test led to his own. This is usually prepared by the infection of the Sinai to the back and the Star Destroyers in the parliament, by the speed of these books and the revival of environmental problems of their new Arab states of the Arctic as a more and they possess power to the effort she was especially valuable as the Union and that would have said, as to note that the goods, which the night that if ever I rode after the word Father upon His Church to claim that the peace that had permitted him the city are as a hand of one into I thought of Mr. Crow and the Jews by the days of the C.Cs front garden which had first to St Cyriacus. All of a theology in the setting in a human heart as the tale of this day. I have it to friendship and the States that the way the English of the St Lawrence seven miles of an adjutant...

    Now, would you have guessed that this is executable machine code (shellcode)? Honestly, it looks more like the garbage that spammers use to defeat statistical analysis (indeed, this is code generated with a similar goal).

    (P.S. this particular sample is merely an amalgamation of the code which was reproduced in the paper; it is not complete, and will therefore not execute).

  • Interesting work (Score:3, Insightful)

    by Stan Vassilev ( 939229 ) on Tuesday November 24, 2009 @09:08AM (#30213186)
    But I'd venture a guess it's far easier to hide such code in the noise of an innocent looking image.
  • by Megane ( 129182 ) on Tuesday November 24, 2009 @01:21PM (#30216566)

    This sort of shellcode is probably a bit harder to write for the 68000, with its 16-bit instructions that have an "operand mode" field that spans between the two bytes. While a lot of useful instructions are in the 2xxx-7xxx range, and branches are in the 6xxx range, the instructions that do any sort of math are outside it.

    It would be interesting to see what can be done with other CPUs as well. In particular, I recall that OS X PPC missed a chance to resist shellcode by ignoring two of the four bytes of the OS trap instruction, rather than forcing them to be nulls.

An adequate bootstrap is a contradiction in terms.

Working...