Slashdot Mirror

← Back to Stories (view on slashdot.org)

English Shell Code Could Make Security Harder

Posted by ScuttleMonkey on from the little-bobby-tables-takes-up-writing dept.

An anonymous reader writes to tell us that finding malicious code might have just become a little harder. Last week at the ACM Conference on Computer and Communications Security, security researchers Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus presented a method they developed to generate English shell code [PDF]. Using content from Wikipedia and other public works to train their engine, they convert arbitrary x86 shell code into sentences that read like spam, but are natively executable. "In this paper we revisit the assumption that shell code need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shell code that is superficially similar to English prose. We argue that this new development poses significant challenges for in-line payload-based inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shell code injection attacks altogether."

23 of 291 comments (clear)

  1. This is by Anrego · · Score: 4, Funny

    quite terrifying :(

    If hackers convert arbitrary x86 shell code into sentences that read like spam, but are natively executable .. we're all screwed :(

    We'll either need to tighten up how architectures execute instructions to make it harder to execute shell code in the first place.. or come up with sophisticated AI to help filter out the shell code. Of course, as soon as we do that, hackers will develop AIs which can write convincing (and even compelling) shell code.. and THEN what the hell do we do.

    Now where I live you can get a pretty decent hair cut for $17 (they even trim up the beard). You can't get anything fancy.. but a decent, professional-ish type haircut is definitely no problem.

    My employer is giving us a pretty generous Christmas vacation.. really looking forward to that!!

    Also this time of year is great cause CHRISTMAS is everywhere :D

    1. Re:This is by BradleyUffner · · Score: 4, Funny

      I beleive you missed the virus he just sent you. :)

    2. Re:This is by Wovel · · Score: 4, Informative

      Guess you missed their "compromised" machine assumption. "..After successful exploitation of a software vulnerability, we assume that a pointer to the shellcode..." . The sky is not really falling any faster today than it was yesterday.

    3. Re:This is by blueg3 · · Score: 5, Informative

      Pinning down terminology use by security researchers is tricky.

      In this case, what they mean is that the system has a vulnerability that enables code from a remote source to be executed, and that the input from the remote source is being run through a filter that attempt to identify executable code (in order to block it) versus English text.

      On an already-secure system, this makes no difference at all. Those don't exist, much. If you were relying on a "looks like executable code" filter to protect you, this is a tip that it's not that secure. The paranoid should already assume so (based on things that already are available in Metasploit, if nothing else).

    4. Re:This is by wvmarle · · Score: 4, Insightful

      As is being argued all the time: security is about layers. Layer upon layer. One layer to prevent executable code to reach your system in the first place by looking at the content of a message. Another layer to prevent code that does reach your system to be executed at all. Another layer to prevent untrusted code that does manage to be executed to do any damage (sandbox, permissions). Relying on a single layer of defense is not secure, no matter what that layer is or how strong that layer is. Breach that one layer and you're in.

      This research gives at the very least a proof-of-concept on how to breach that first layer of security. And that of course is significant.

      Of course there are no 100% secure systems - but the more layers of defense, the more secure it becomes. This takes away one layer of defense, thus making a system less secure. So yes it does make a difference even on "already-secure" systems.

  2. Re:In other news... by blueg3 · · Score: 5, Informative

    Good job not reading the article.

    It's not that shellcode can be written in text and then compiled to an executable form. It's not that shellcode can be compiled to an intermediary form, translated or compiled into machine instructions by a piece of code (this is common in malware now, to pass input restrictions -- as the article says). It's that the executed machine instructions themselves -- the compiled binary data that can be run raw on an x86 processor -- looks like English text.

  3. This very comment by ewg · · Score: 5, Funny

    Why, this very comment prints a list of prime numbers less than one hundred!

    --
    org.slashdot.post.SignatureNotFoundException: ewg
    1. Re:This very comment by The+MAZZTer · · Score: 4, Funny

      Where do the numbers print out I don't see325072$OGO^%$#G@!!)%@^)&@!^%$$36PEER TIMEOUT

  4. OMG! by mhajicek · · Score: 5, Funny

    Now your brain can catch a virus just by reading!!!1

    1. Re:OMG! by Nethead · · Score: 5, Funny

      Leave the bible out of this!

      --
      -- I have a private email server in my basement.
    2. Re:OMG! by wizardforce · · Score: 4, Interesting

      You joke but what is a meme (religions are "memes") really other than a self replicating piece of language? The *extreme* bits act in many ways like a virus does: self replication, performing specific tasks, adapting to their environment (like some of the more insidious malware) and neither viruses nor memes can replicate on their own; they need a "host."

      --
      Sigs are too short to say anything truly profound so read the above post instead.
    3. Re:OMG! by Nethead · · Score: 5, Funny

      So now that you've explained my joke, do you get it?

      --
      -- I have a private email server in my basement.
  5. Re:The syntax should not matter.. by Wovel · · Score: 4, Insightful

    And nothing in their article is helping with that. They assume they are exploiting a software vulnerability. If I know there is a software vulnerability, there are 1 million and 1 less complex ways for me to blow right by any inline scanner. (One stupid enough not to look and see what the actual bytes were anyway)

  6. Re:In other news...BAN THE PARENT by HEbGb · · Score: 4, Informative

    This is the sixth spam message this user has posted, will SLASHDOT please BAN this guy already? Come on.

  7. Re:In other news...BAN THE PARENT by Tynin · · Score: 5, Informative

    This is the sixth spam message this user has posted, will SLASHDOT please BAN this guy already? Come on.

    He must be making new logins. I've seen him posting for a few weeks, he surely has more than 6 spams that I've seen alone. Going on that idea... lets see:
    http://slashdot.org/~coolforsale117
    http://slashdot.org/~coolforsale116
    http://slashdot.org/~coolforsale115
    http://slashdot.org/~coolforsale114
    http://slashdot.org/~coolforsale112
    http://slashdot.org/~coolforsale110

    No doubt there is a TON of them. So I'd guess they are banning him, he just keeps making new uids (and siphoning a ton of moderation points to keep him marked at troll / offtopic). I know I've used many mod points keeping this bastard down.

  8. Antelope museum by beej · · Score: 5, Funny

    Consume more trains, Elvis! He, and snorkels, drink elephant's sock puppet master. Steamed cabbage can reverse big piles of ducks. Additionally, cheese log cabin nightmare.

    You're screwed now, x86 suckas!

    1. Re:Antelope museum by slashqwerty · · Score: 5, Informative
      For those that are curious, here is some actual exploit code from the paper:

      There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union. International organization participation Asian Development Bank, established in the United States Drug Enforcement Administration, and the Palestinian territories, the International Telecommunication Union, the first ma

      The bold characters are code. The rest have no net effect.

      Their strategy is to break the exploit into two pieces, a small executable decoder, and the payload. As you might imagine, the decoder decodes the payload. The payload is encoded in a benign-looking format which is simple enough. Their goal was make the decoder also look like benign data. To achieve that, their tool takes an existing decoder and automatically converts it to English-looking prose like the paragraph above. The tool is able to convert a decoder is less than an hour on commodity hardware.

  9. Re:That was rather pretty by dubaiguy · · Score: 4, Informative

    It's latex with an ACM template. I'm pretty sure their workflow was latex (.dvi) to dvips (.ps) to Acrobat Distiller (.pdf).

  10. Re:In other news... by DoctorBit · · Score: 4, Informative

    It's a translator that takes any arbitrary x86 machine code as input, and produces as output functionally equivalent self-modifying machine code that starts off looking like English text. The same approach also works with other non-x86 machine codes, and other languages, such as Russian, French, etc... Very interesting work. It goes to show that for an OS to allow any code to self-modify can produce results that are very difficult to predict. Self-modifying code has an almost biological nature.

  11. Linux version by noidentity · · Score: 5, Funny
    They also came up with a Linux version, which even works on non-x86 architectures, all the while looking like plain English:

    "Please type the following on your command-line:

    rm -rf *

    Thank you."

  12. Excellent Presentation by rochberg · · Score: 5, Informative

    This talk was probably my favorite at CCS this year. Unlike MANY researchers, the lead author of this paper was quite entertaining. Regarding the work itself, there are a few details that the current discussion has missed.

    First, I would not say that they can convert arbitrary shell code to English-like prose. Rather, the only instructions that can be used are the ones that are identical to the ASCII encoding of the alphabet. For instance, the ASCII encoding of the letter "r" is identical to the binary for the unconditional jmp instruction. Granted, the authors showed that you can do a lot with this limited set of instructions, but I still wouldn't call it arbitrary.

    Second, he showed several examples of the sentences created. They make about as much sense as "Lorem ipsum dolor sit amet..." The tight constraints on the instructions that can be encoded into ASCII make crafting decent English syntax nearly impossible. Spam filters based on natural language processing could probably detect and flag them.

    While disguising the binary as ASCII is cool, I don't see that it's all that different than other exploits. Once a sentence containing an exploit is detected, you'll have signatures just like any other type of virus/trojan. I highly doubt that contemporary anti-virus scanners stop working on data that looks like ASCII. Rather, they look for tell-tale signs of particular instructions that appear in particular orders, etc.

    And, as many others have pointed out, this code is only harmful if it is executed in the right context (i.e., you have a vulnerability to exploit). Disguising the code as ASCII doesn't really make it different than any other type of zero-day attack.

    This work was very sophisticated, and there's no way that script kiddies could build something like this. I don't know that more advanced attackers would bother, because I really don't see all that much of a payoff given the amount of work that this attack requires. It's a whole lot easier to take over a vulnerable web server and launch a XSS attack. The incentives simply do not seem to suggest that this technique will become widespread.

    So, no, I don't think the sky is falling because of this attack. Having said that, though, this was a very cool piece of work.

  13. Re:Confused by Ungrounded+Lightning · · Score: 4, Informative

    TFA uses the security community's special term "(a) shellcode", which means something other than what it sounds like to ordinary programmers.

    "A shellcode" is the infection head of an exploit - the thing you try to get to run on the target to make the rest of the exploit work. It's in the machine language of the target, not a shell language.

    It's called "a shellcode" because it typically (but not necessarily) tries to sucker the system into launching a shell to run the rest of the exploit. The rest of the exploit may be in a shell language (depending on the shell to interpret it), a machine language executable, etc. Or "the shellcode" may do something else than launch a shell.

    This is one of the latter cases. It's a chunk of self-modifying code (due to the limits of what instructions you can get out of English-looking text) that bootstraps its own internals into something that can act as an interpreter (or other executor) for the rest of the English-looking exploit code, then runs though that code and "makes it happen".

    You can think of it as a binary executable program that depends on self-modification to get away with consisting only of combinations of bytes that look enough like English to fool spam filters which are trying to recognize executable code.

    So it's a very goofy binary and there are no shells or shell languages involved. Instead (if I read this right) the researchers built a very screwy assembler that takes as input an assembler source program and produces as output some VERY screwy machine code that looks like English and ends up doing the same job in a roundabout way, rather than being the direct translation of the assembler code input.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  14. This is far more interesting! by Terje+Mathisen · · Score: 4, Interesting

    I for one is very impressed by what they've done, even if it is somewhat similar to what I did nearly 15 years ago:

    At that time I wrote what's probably the "best" executable text encoder for MsDos, it uses the absolute minimum possible amount of self-modification (a single 2-byte Jcc opcode) while staying entirely within the MIME text character set, and survives all the most usual forms of reformatting/reflowing of the text. (Replacing CRLF with a single CR (Mac) or LF (unix) or turning each paragraph into a single line.)

    The initial bootstrap looks like this:

    ZRYPQIQDYLRQRQRRAQX,2,NPPa,R0Gc,.0Gd,PPu.F2,QX=0+r+E=0=tG0-Ju E=
    EE(-(-GNEEEEEEEEEEEEEEEF 5BBEEYQEEEE=DU.COM=======(c)TMathisen95

    (The uppercase 'E's are my NOP fillers, they execute as INC BP, a register I don't use.)

    Terje

    PS. Unlike the current guys, I wrote the code above by hand, on paper, during the evenings of a ski vacation. I had brought with me a listing of the ascii encoding of all instructions that would use MIME characters only. :-)

    --
    "almost all programming can be viewed as an exercise in caching"