Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs

[Mike Murray <orestes () dorian 2y net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just to throw in my $0.02....

Detecting the possibility that a set of information could be polymorphic 
shellcode is the smaller 1/2 of the game.  It seems a semi-trivial task to 
detect an arbitrary number of NOOP instrtuctions that happen to lie in a row. 
 The difficult task is differentiating between any randomly occuring NOP set 
and a set of NOPs that are actually occuring in an exploit condition.   It is 
the ability to make this differentiation that polymorphic shellcode actually 
hinders; as the polymorphic engine increases in effectiveness, the ability to 
differentiate between a piece of shellcode and a random bit stream 
effectively goes to zero.  

The point is made more simply: finding 50-60 NOPs in a row in a given 
datastream doesn't indicate that the given datastream is shellcode any more 
than it indicates that it's any other piece of random binary data.  And the 
difficulty in making that determination is what determines the number of 
false positives that your detection engine is going to have.

And, of course, as Stefan Axelsson pointed out 
(http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf), the actual 
measure of an IDS's effectiveness comes from its ability to limit 
*false-positives*, not from limiting false-negatives (which, of course, makes 
most current commercial IDS offerings look pretty weak).    Specifically, the 
more alerts that fire on email/images/random traffic as "shellcode", the less 
effective any sort of IDS becomes.

Thus, in my opinion, until one finds a reliable way to determine what is 
obfuscated/encrypted/polymorphic shellcode and what is not, the ability to 
have an effective IDS against that type of attack is impossible.   

My $0.02...

Mike

On Saturday 26 January 2002 10:53 am, Charles 'core' Stevenson wrote:
> The code is interesting and pretty nice except that it detects just
> about anything as shellcode. Even the last e-mail I sent out to you and
> forgot to CC to the list. ;-)
>
> IA32 shellcode found: Protocol TCP 127.0.0.1:57118 -> 127.0.0.1:25
> Dumping data:
> Message-ID: <3C52F9DA.451181D7 () bokeoa co
> m>..Date: Sat, 26 Jan 2002 11:47:54 -070
> 0..From: Charles 'core' Stevenson <core@
> bokeoa.com>..Reply-To: core () bokeoa com..
> X-Mailer: Mozilla 4.7 [en] (X11; I; Linu
> x 2.4.15-pre4 ppc)..X-Accept-Language: e
> n..MIME-Version: 1.0..To: Robert Flicker
>  <robert_flicker () hotmail com>..Subject:
> Re: [NGSEC] Whitepaper Released: Polymor
> phic shellcodes vs. .. ApplicationIDSs..
> References: <F153nHxRKYblf8nFJ3V0001881d
> @hotmail.com>..Content-Type: text/plain;
>  charset=us-ascii..Content-Transfer-Enco
> ding: 7bit....But it also detected the l
> ast e-mail I sent as shellcode.....Haha.
> .....peace,..core....Robert Flicker wrot
> e:..> ..> Hi charles:..> ..> Have you te
> sted the sourcecode that comes with the
> paper:..> ..> http://www.ngsec.com/downl
> oads/misc/NIDSfindshellcode.tgz..> ..> A
> s far as i know is the first public code
>  that does this stuff...> It may be not
> hot-news but i think it worth the downlo
> ad, and is a better..> solution for curr
> ent IDS than your exoteric thoughts with
>  Neuronal Networks..> and distributed si
> gnature checking... INMHO uimplementable
>  in current IDS..> technologies...> ..>
> Quoting from www.snort.org:..> ..> "Pape
> r: Polymorphicisms be gone..> .....> His
>  ideas revolve around counting multiple
> NOP type operations in a row and..> aler
> ting when a threshold is reached. The id
> ea has been kicked around for a..> while
> , but this is the first one that I have
> seen in actual implementation...> .....>
>  "..> ..> Current snort branch and its t
> echnique to detect shellcode is very eas
> y..> foolable ;P... NIDSfindshellcode is
>  also foolable but in a harder way...> .
> .> Robert Flicker..> ..> _______________
> ________________________________________
> __________..> Join the world?s largest e
> -mail service with MSN Hotmail...> http:
> //www.hotmail.com.....
>
> Best Regards,
> Charles Stevenson
>
> Robert Flicker wrote:
> > Hi charles:
> >
> > Have you tested the sourcecode that comes with the paper:
> >
> > http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz
> >
> > As far as i know is the first public code that does this stuff.
> > It may be not hot-news but i think it worth the download, and is a better
> > solution for current IDS than your exoteric thoughts with Neuronal
> > Networks and distributed signature checking... INMHO uimplementable in
> > current IDS technologies.
> >
> > Quoting from www.snort.org:
> >
> > "Paper: Polymorphicisms be gone
> > ...
> > His ideas revolve around counting multiple NOP type operations in a row
> > and alerting when a threshold is reached. The idea has been kicked around
> > for a while, but this is the first one that I have seen in actual
> > implementation. ...
> > "
> >
> > Current snort branch and its technique to detect shellcode is very easy
> > foolable ;P... NIDSfindshellcode is also foolable but in a harder way.
> >
> > Robert Flicker
> >
> > _________________________________________________________________
> > Join the world?s largest e-mail service with MSN Hotmail.
> > http://www.hotmail.com

- -- 
_____________________________________________________
| Mike Murray                    <orestes () dorian 2y net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8Uw1qzh1RVm1QrUwRAukCAKCWWZd2t7rOaAtsqlmlRysb63lsmwCaAgVm
lOj4KLlat2jpVFAyuNzkkx4=
=b4c0
-----END PGP SIGNATURE-----